[QPID-8095] ssl_skip_hostname_check behaves like having True as default - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: qpid-python-1.38.0
Component/s: Python Client
Labels:
- easyfix
- patch

Flags:

Patch

Description

Although python client connection option "ssl_skip_hostname_check" has default value False, hostname verification is skipped when one does not specify this option. That means, the evaluation logic of this option overrides the default to True.

Due to the option name and also the natural request to be more secure by default (and rather weaken security only when specifically asked for), I suggest to change the evaluation logic to stand with default False. I.e. when the option is not specified, SSL hostname check is not skipped / is performed.

Proposed patch:

--- /usr/lib/python2.7/site-packages/qpid/messaging/transports.py    2018-02-05 08:34:22.008242874 +0100
+++ /usr/lib/python2.7/site-packages/qpid/messaging/transports.py    2018-02-05 09:03:22.232313386 +0100
@@ -111,7 +111,7 @@ else:
 
       # if user manually set flag to false then require cert
       actual = getattr(conn, "_ssl_skip_hostname_check_actual", None)
-      if actual is not None and conn.ssl_skip_hostname_check is False:
+      if actual is not True:
         validate = CERT_REQUIRED
 
       self.tls = wrap_socket(self.socket, keyfile=conn.ssl_keyfile,

Attachments

Activity

People

Assignee:: Justin Ross

Reporter:: Pavel Moravec

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/Feb/18 08:11

Updated:: 08/Apr/18 14:29