[QPID-4918] Python client does not enforce SSL certificate validation even if CAs configured - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 0.20
Fix Version/s: 0.22
Component/s: Python Client
Labels:
None

Description

With SSL, the Python client allows the application to specify the trusted CAs that should be used to validate the remote broker's certificate.

However, there is a bug in the implementation that does not enforce the validation. This bug allows the SSL connection to be established even if the remote does not provide a valid certificate.

This bug is a security risk. The application has configured a CA to use to validate the remote, but that CA is silently ignored and the remote is allowed to connect without validation. To the application, it appears as if the remote certificate has been verified and the remote has been authorized, when in fact that hasn't happened.

A CVE has been created for this issue: CVE-2013-1909

Attachments

Activity

People

Assignee:: Ken Giusti

Reporter:: Ken Giusti

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 12/Jun/13 14:29

Updated:: 29/Jul/13 18:53

Resolved:: 12/Jun/13 14:35