Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-3599

Validate client IP address against cert's SubjectAltName

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • None
    • 0.10.0
    • Python - Library
    • None

    Description

      After THRIFT-3505, python TSSLSocket has client cert support but does not perform any hostname matching.
      That means clients can submit any certificate that is unrelated to them and the server side only check if the cert is in their CA.
      It is in a sense worse than nothing as it can introduce false sense of security.

      Attachments

        Issue Links

          breaks

          Bug - A problem which impairs or prevents the functions of the product. THRIFT-3658 Missing file in THRIFT-3599

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          is blocked by

          Bug - A problem which impairs or prevents the functions of the product. THRIFT-2103 [python] Support for SSL certificates with Subject Alternative Names

          • Major - Major loss of function.
          • Closed
          relates to

          Improvement - An improvement or enhancement to an existing feature or task. THRIFT-1867 Python client/server should support client-side certificates.

          • Major - Major loss of function.
          • Closed

          Activity

            People

              nsuke Nobuaki Sukegawa
              nsuke Nobuaki Sukegawa
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: