[jira] [Commented] (DISPATCH-401) qdstat and qdmanage client tools do not verify host name when using SSL

Wed, 22 Jun 2016 11:13:07 -0700 

    [ 
https://issues.apache.org/jira/browse/DISPATCH-401?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15344915#comment-15344915
 ] 

ASF GitHub Bot commented on DISPATCH-401:
-----------------------------------------

GitHub user ganeshmurthy opened a pull request:

    https://github.com/apache/qpid-dispatch/pull/83

    DISPATCH-401 - Verified host name by default and added a --no-verify-…

    …host-name to disable host name verification

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ganeshmurthy/qpid-dispatch DISPATCH-401

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/qpid-dispatch/pull/83.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #83
    
----
commit 8ad0df8494eae79c6fc5ffac8ff12a71d932f08a
Author: Ganesh Murthy <[email protected]>
Date:   2016-06-22T18:09:50Z

    DISPATCH-401 - Verified host name by default and added a 
--no-verify-host-name to disable host name verification

----


> qdstat and qdmanage client tools do not verify host name when using SSL
> -----------------------------------------------------------------------
>
>                 Key: DISPATCH-401
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-401
>             Project: Qpid Dispatch
>          Issue Type: Bug
>          Components: Container
>    Affects Versions: 0.6.0
>            Reporter: Ganesh Murthy
>            Assignee: Ganesh Murthy
>
> qdstat and qdmanage tools do not ensure that when initiating an SSL 
> connection the host name in the URL to which qdstat and qdmanage connect to 
> matches the host name in the digital certificate that the peer sends back as 
> part of the SSL connection.
> Enable host name verification by default on qdstat and qdmanage. Add a 
> command line option called --no-verify-host-name which allows the host name 
> to not match. Add a warning to this command line option saying that it is 
> insecure and should not be used in production environments.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to