Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-3599

Validate client IP address against cert's SubjectAltName

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • None
    • 0.10.0
    • Python - Library
    • None

    Description

      After THRIFT-3505, python TSSLSocket has client cert support but does not perform any hostname matching.
      That means clients can submit any certificate that is unrelated to them and the server side only check if the cert is in their CA.
      It is in a sense worse than nothing as it can introduce false sense of security.

      Attachments

        Issue Links

          Activity

            People

              nsuke Nobuaki Sukegawa
              nsuke Nobuaki Sukegawa
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: