Pavel Moravec created QPID-8095:
-----------------------------------
Summary: ssl_skip_hostname_check behaves like having True as
default
Key: QPID-8095
URL: https://issues.apache.org/jira/browse/QPID-8095
Project: Qpid
Issue Type: Bug
Components: Python Client
Reporter: Pavel Moravec
Although python client connection option "ssl_skip_hostname_check" has default
value False, hostname verification is skipped when one does not specify this
option. That means, the evaluation logic of this option overrides the default
to True.
Due to the option name and also the natural request to be more secure by
default (and rather weaken security only when specifically asked for), I
suggest to change the evaluation logic to stand with default False. I.e. when
the option is not specified, SSL hostname check is _not_ skipped / is performed.
Proposed patch:
{code:java}
--- /usr/lib/python2.7/site-packages/qpid/messaging/transports.py 2018-02-05
08:34:22.008242874 +0100
+++ /usr/lib/python2.7/site-packages/qpid/messaging/transports.py 2018-02-05
09:03:22.232313386 +0100
@@ -111,7 +111,7 @@ else:
# if user manually set flag to false then require cert
actual = getattr(conn, "_ssl_skip_hostname_check_actual", None)
- if actual is not None and conn.ssl_skip_hostname_check is False:
+ if actual is not True:
validate = CERT_REQUIRED
self.tls = wrap_socket(self.socket, keyfile=conn.ssl_keyfile,
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
