thrift-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aki Sukegawa <ns...@apache.org>
Subject Re: Mutual Auth in Python
Date Mon, 25 Jan 2016 16:03:41 GMT
Hi j.barrett,

Thanks for bringing this up.
Your observation is correct.
The patch only enables what is already done in standard library and does
not handle hostname verification.
I don't think it's possible for Python < 2.7.9 without modifying Thrift
code.
It's kind of a bug since it's done for server certs and without this it
only gives false sense of security.
Could you file an issue in our JIRA ?
https://issues.apache.org/jira/browse/THRIFT

If you happened to be interested in contributing, I'll definitely check out
your implementation and work for the merge.
Either way, I guess we need it before the next release.

On Sun, Jan 24, 2016 at 9:54 PM j.barrett Strausser <
j.barrett.strausser@gmail.com> wrote:

> Does release 0.9.3 support mutual authentication in Python on version
> 2.7.6? By Mutual Auth I mean does the server check that the client has a
> cert that has been signed by the servers PKI (cert,key)?
>
> Looking at the source it appears that it does not?
>
> It is supported in 0.9.4? In this commit it appears to have been
> introduced.
>
> https://github.com/apache/thrift/commit/ad8358664e6aa2de9094ca68c8b626b953b572c0
>
> In particular I'm assuming the line below is the relevant test case for
> mutual auth?
>
> https://github.com/apache/thrift/commit/ad8358664e6aa2de9094ca68c8b626b953b572c0#diff-2853875e5d5696e7082aa0e46bc206b1R186
>
> If all the above is the case, does the server side perform hostname
> verification on the client common name?  Any thoughts on how to handle that
> in 2.7.6?
>
>
> Thanks,
>
> -b
> --
>
>
> https://github.com/bearrito
> @deepbearrito
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message