[jira] [Commented] (DISPATCH-1762) Connector ssl config errors must prohibit connections

Tue, 08 Sep 2020 12:55:11 -0700 


    [ 
https://issues.apache.org/jira/browse/DISPATCH-1762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17192423#comment-17192423
 ] 

ASF subversion and git services commented on DISPATCH-1762:
-----------------------------------------------------------

Commit c55eb09ab636e48262275439d71906d9fce1f86b in qpid-dispatch's branch 
refs/heads/master from Charles E. Rolke
[ https://gitbox.apache.org/repos/asf?p=qpid-dispatch.git;h=c55eb09 ]

DISPATCH-1762: Connector ssl config errors must prohibit connections

This patch aborts all connector connection attempts if there are
any configuration errors reported by Proton. Previously certain
combinations of hostname verification and certificate validity allowed
connections with unexpected ssl protection levels.

This patch uses clearer language in the error log messages to explain
the specific configuration errors and to identify the connections
that were denied.

 * Each configuration error logs the reason indentifying it as a
   configuration error and not as an in-band, openssl-detected problem.

 * Configuration error logs include server connection id number and the
   configured host and port.

 * Connections closed due to internal config errors are abruptly closed.
   A separate log message notes the connection id and the abort reason.

Thanks to Robbie Gemmell for analysis and code review.

This closes #843


> Connector ssl config errors must prohibit connections
> -----------------------------------------------------
>
>                 Key: DISPATCH-1762
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-1762
>             Project: Qpid Dispatch
>          Issue Type: Bug
>            Reporter: Gordon Sim
>            Assignee: Charles E. Rolke
>            Priority: Major
>
> You can connect even of the CA path specified does not exist. (Expectation 
> from the configuration option name is that only the hostname verification is 
> disabled, but that the validity of the certificate is still verified).
> Regardless of errors reported by proton in setting the connector's ssl domain 
> as configured, the router proceeds to open the connection anyway.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to