Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-3599

Validate client IP address against cert's SubjectAltName

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.10.0
    • Component/s: Python - Library
    • Labels:
      None

      Description

      After THRIFT-3505, python TSSLSocket has client cert support but does not perform any hostname matching.
      That means clients can submit any certificate that is unrelated to them and the server side only check if the cert is in their CA.
      It is in a sense worse than nothing as it can introduce false sense of security.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                nsuke Nobuaki Sukegawa
                Reporter:
                nsuke Nobuaki Sukegawa
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: