Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
None
-
None
Description
After THRIFT-3505, python TSSLSocket has client cert support but does not perform any hostname matching.
That means clients can submit any certificate that is unrelated to them and the server side only check if the cert is in their CA.
It is in a sense worse than nothing as it can introduce false sense of security.
Attachments
Issue Links
- breaks
-
THRIFT-3658 Missing file in THRIFT-3599
- Closed
- is blocked by
-
THRIFT-2103 [python] Support for SSL certificates with Subject Alternative Names
- Closed
- relates to
-
THRIFT-1867 Python client/server should support client-side certificates.
- Closed