Qpid Proton
  1. Qpid Proton
  2. PROTON-302

Messenger does not verify the hostname in the peer's SSL certificate.

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.5
    • Fix Version/s: 0.6
    • Component/s: proton-c
    • Labels:
      None

      Description

      When Messenger is configured to use SSL, and a CA database is provided (via set_trusted_certificates), messenger fails to check that the CommonName/Subject Alternate Name provided in the peer's certificate. Currently, it merely validates that the certificate is signed correctly.

        Activity

        Hide
        Ken Giusti added a comment -

        To fix this:

        In messenger::pn_transport_config(), when the cert database is set up, the following code runs:

        if (messenger->trusted_certificates)

        { pn_ssl_domain_set_trusted_ca_db(d, messenger->trusted_certificates); pn_ssl_domain_set_peer_authentication(d, PN_SSL_VERIFY_PEER, NULL); <----- }

        else {

        ---> that line should be changed to use VERIFY_PEER_NAME instead:

        if (messenger->trusted_certificates)

        { pn_ssl_domain_set_trusted_ca_db(d, messenger->trusted_certificates); pn_ssl_domain_set_peer_authentication(d, PN_SSL_VERIFY_PEER_NAME, NULL); <---- }

        else {

        And, prior to initiating the connection to the server, the pn_ssl_t used for the connection must have the hostname that will be used to connect configured via pn_ssl_set_peer_hostname(). This is the name that will be checked against the CommonName supplied in the certificate.

        You could use the SSL python tests as a guide - see the test_server_hostname_authentication test in tests/python/proton_tests/ssl.py

        Show
        Ken Giusti added a comment - To fix this: In messenger::pn_transport_config(), when the cert database is set up, the following code runs: if (messenger->trusted_certificates) { pn_ssl_domain_set_trusted_ca_db(d, messenger->trusted_certificates); pn_ssl_domain_set_peer_authentication(d, PN_SSL_VERIFY_PEER, NULL); <----- } else { ---> that line should be changed to use VERIFY_PEER_NAME instead: if (messenger->trusted_certificates) { pn_ssl_domain_set_trusted_ca_db(d, messenger->trusted_certificates); pn_ssl_domain_set_peer_authentication(d, PN_SSL_VERIFY_PEER_NAME, NULL); <---- } else { And, prior to initiating the connection to the server, the pn_ssl_t used for the connection must have the hostname that will be used to connect configured via pn_ssl_set_peer_hostname(). This is the name that will be checked against the CommonName supplied in the certificate. You could use the SSL python tests as a guide - see the test_server_hostname_authentication test in tests/python/proton_tests/ssl.py
        Hide
        ASF subversion and git services added a comment -

        Commit 1539013 from rhs@apache.org in branch 'proton/trunk'
        [ https://svn.apache.org/r1539013 ]

        PROTON-302: added negative testing for messenger ssl; added proper validation of messenger credentials; fixed the java work queue and transport work queue implementation; added the missing Delivery.clear() method to proton-j

        Show
        ASF subversion and git services added a comment - Commit 1539013 from rhs@apache.org in branch 'proton/trunk' [ https://svn.apache.org/r1539013 ] PROTON-302 : added negative testing for messenger ssl; added proper validation of messenger credentials; fixed the java work queue and transport work queue implementation; added the missing Delivery.clear() method to proton-j
        Hide
        ASF subversion and git services added a comment -

        Commit 1539393 from rhs@apache.org in branch 'proton/trunk'
        [ https://svn.apache.org/r1539393 ]

        PROTON-302: added clear method to JNIDelivery

        Show
        ASF subversion and git services added a comment - Commit 1539393 from rhs@apache.org in branch 'proton/trunk' [ https://svn.apache.org/r1539393 ] PROTON-302 : added clear method to JNIDelivery

          People

          • Assignee:
            Ken Giusti
            Reporter:
            Ken Giusti
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development