Mailing-List: contact proton-help@qpid.apache.org; run by ezmlm
Precedence: bulk
Reply-To: proton@qpid.apache.org
Date: Thu, 17 Oct 2013 18:18:43 +0000 (UTC)
From: "Rafael H. Schloming (JIRA)" <jira@apache.org>
To: proton@qpid.apache.org
Message-ID: <JIRA.12617707.1353968019705.81512.1382033923305@arcas>
In-Reply-To: <JIRA.12617707.1353968019705@arcas>
References: <JIRA.12617707.1353968019705@arcas>
Subject: [jira] [Updated] (PROTON-161) SSL impl does not allow verification
 of the peer's identity
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


     [ https://issues.apache.org/jira/browse/PROTON-161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rafael H. Schloming updated PROTON-161:
---------------------------------------

    Labels: security  (was: )

> SSL impl does not allow verification of the peer's identity
> -----------------------------------------------------------
>
>                 Key: PROTON-161
>                 URL: https://issues.apache.org/jira/browse/PROTON-161
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-j
>    Affects Versions: 0.3
>            Reporter: Ken Giusti
>            Assignee: Philip Harvey
>            Priority: Blocker
>              Labels: security
>
> The current SSL implementation validates the peer's certificate, and will not permit the connection to come up if the certificate is invalid.
> However - it does not provide a way to check if the peer's identity as provided in the certificate is the expected identity (eg, the same hostname used to set up the TCP connection).  While a certificate may be valid (that is, signed by a CA trusted by the client), it may not belong to the intended destination.
> RFC2818 explains how this should be done - see section 3.1 Server Identity. 


--
This message was sent by Atlassian JIRA
(v6.1#6144)