qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Godfrey <rob.j.godf...@gmail.com>
Subject Re: [jira] [Created] (QPID-5960) ssl_verify_hostname should default to true rather than false
Date Wed, 06 Aug 2014 10:57:20 GMT
We might also want to improve out hostname verification code a bit (e.g. to
support wildcard certificates).  Perhaps this might help:
https://svn.apache.org/repos/asf/synapse/branches/1.0/modules/nhttp/src/org/apache/axis2/transport/nhttp/HostnameVerifier.java

-- Rob


On 6 August 2014 12:27, Robbie Gemmell <robbie.gemmell@gmail.com> wrote:

> Kieths original proposal and Robs subsequent suggestion both seem sensible
> to me.
>
> Robbie
>
> On 5 August 2014 23:47, Rob Godfrey <rob.j.godfrey@gmail.com> wrote:
>
> > I strongly support the change - we should be secure by default.
> >
> > For convenience for those upgrading from earlier versions, would it make
> > sense to add a system property to be able to set the global default, in
> > addition to the existing ability to set at the individual connection
> level?
> >  In this way those who do not want to have to edit a number of connection
> > URLs could simply set a system property to restore the previous (broken)
> > behaviour.
> >
> > -- Rob
> >
> >
> > On 6 August 2014 00:11, Keith W <keith.wall@gmail.com> wrote:
> >
> > > I want to make QPID-5960 "ssl_verify_hostname should default to true
> > > rather than false" visible on the users list.  This proposed change
> > > affects the Java Client (0-10.0-8) only.
> > >
> > > The intention is to change the default for the ssl_verify_hostname
> > > broker list option [1] from false to true for the next release (0.30).
> > > This means that the Java client will always validate the the server's
> > > identity as presented in the server's Certificate message in order to
> > > prevent man-in-the-middle attacks.  This change is made in order to be
> > > secure by default.
> > >
> > > Users wishing for the old behaviour, will be to revert by simply
> > > adding the ssl_verify_hostname='false' to the connection url.
> > >
> > > Comments welcome.
> > >
> > > Keith.
> > >
> > > [1]
> > >
> >
> http://qpid.apache.org/releases/qpid-trunk/programming/book/QpidJNDI.html#idm233123779008
> > >
> > >
> > >
> > > ---------- Forwarded message ----------
> > > From: Keith Wall (JIRA) <jira@apache.org>
> > > Date: 4 August 2014 17:36
> > > Subject: [jira] [Created] (QPID-5960) ssl_verify_hostname should
> > > default to true rather than false
> > > To: dev@qpid.apache.org
> > >
> > >
> > > Keith Wall created QPID-5960:
> > > --------------------------------
> > >
> > >              Summary: ssl_verify_hostname should default to true
> > > rather than false
> > >                  Key: QPID-5960
> > >                  URL: https://issues.apache.org/jira/browse/QPID-5960
> > >              Project: Qpid
> > >           Issue Type: Improvement
> > >           Components: Java Client
> > >             Reporter: Keith Wall
> > >              Fix For: 0.29
> > >
> > >
> > > The Java Client's connection url option ssl_verify_hostname has
> > > traditionally defaulted to false meaning that during the SSL
> > > negotiation the Java client ignores hostname errors.   This is weak:
> > > by default the client should validate the hostname.  If users should
> > > be forced to turn host name verification off if desired.
> > >
> > > I believe this will also bring the behaviour of the Java client in
> > > line with the CPP client (QPID-5841)
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > This message was sent by Atlassian JIRA
> > > (v6.2#6252)
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
> > > For additional commands, e-mail: dev-help@qpid.apache.org
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> > > For additional commands, e-mail: users-help@qpid.apache.org
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message