qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Godfrey <rob.j.godf...@gmail.com>
Subject Re: [jira] [Created] (QPID-5960) ssl_verify_hostname should default to true rather than false
Date Tue, 05 Aug 2014 22:47:43 GMT
I strongly support the change - we should be secure by default.

For convenience for those upgrading from earlier versions, would it make
sense to add a system property to be able to set the global default, in
addition to the existing ability to set at the individual connection level?
 In this way those who do not want to have to edit a number of connection
URLs could simply set a system property to restore the previous (broken)
behaviour.

-- Rob


On 6 August 2014 00:11, Keith W <keith.wall@gmail.com> wrote:

> I want to make QPID-5960 "ssl_verify_hostname should default to true
> rather than false" visible on the users list.  This proposed change
> affects the Java Client (0-10.0-8) only.
>
> The intention is to change the default for the ssl_verify_hostname
> broker list option [1] from false to true for the next release (0.30).
> This means that the Java client will always validate the the server's
> identity as presented in the server's Certificate message in order to
> prevent man-in-the-middle attacks.  This change is made in order to be
> secure by default.
>
> Users wishing for the old behaviour, will be to revert by simply
> adding the ssl_verify_hostname='false' to the connection url.
>
> Comments welcome.
>
> Keith.
>
> [1]
> http://qpid.apache.org/releases/qpid-trunk/programming/book/QpidJNDI.html#idm233123779008
>
>
>
> ---------- Forwarded message ----------
> From: Keith Wall (JIRA) <jira@apache.org>
> Date: 4 August 2014 17:36
> Subject: [jira] [Created] (QPID-5960) ssl_verify_hostname should
> default to true rather than false
> To: dev@qpid.apache.org
>
>
> Keith Wall created QPID-5960:
> --------------------------------
>
>              Summary: ssl_verify_hostname should default to true
> rather than false
>                  Key: QPID-5960
>                  URL: https://issues.apache.org/jira/browse/QPID-5960
>              Project: Qpid
>           Issue Type: Improvement
>           Components: Java Client
>             Reporter: Keith Wall
>              Fix For: 0.29
>
>
> The Java Client's connection url option ssl_verify_hostname has
> traditionally defaulted to false meaning that during the SSL
> negotiation the Java client ignores hostname errors.   This is weak:
> by default the client should validate the hostname.  If users should
> be forced to turn host name verification off if desired.
>
> I believe this will also bring the behaviour of the Java client in
> line with the CPP client (QPID-5841)
>
>
>
>
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.2#6252)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
> For additional commands, e-mail: dev-help@qpid.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message