Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8095

ssl_skip_hostname_check behaves like having True as default

    Details

    • Flags:
      Patch

      Description

      Although python client connection option "ssl_skip_hostname_check" has default value False, hostname verification is skipped when one does not specify this option. That means, the evaluation logic of this option overrides the default to True.

       

      Due to the option name and also the natural request to be more secure by default (and rather weaken security only when specifically asked for), I suggest to change the evaluation logic to stand with default False. I.e. when the option is not specified, SSL hostname check is not skipped / is performed.

       

      Proposed patch:

       

       

      --- /usr/lib/python2.7/site-packages/qpid/messaging/transports.py    2018-02-05 08:34:22.008242874 +0100
      +++ /usr/lib/python2.7/site-packages/qpid/messaging/transports.py    2018-02-05 09:03:22.232313386 +0100
      @@ -111,7 +111,7 @@ else:
       
             # if user manually set flag to false then require cert
             actual = getattr(conn, "_ssl_skip_hostname_check_actual", None)
      -      if actual is not None and conn.ssl_skip_hostname_check is False:
      +      if actual is not True:
               validate = CERT_REQUIRED
       
             self.tls = wrap_socket(self.socket, keyfile=conn.ssl_keyfile,
      

       

        Attachments

          Activity

            People

            • Assignee:
              justi9 Justin Ross
              Reporter:
              pmoravec Pavel Moravec
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: