[
https://issues.apache.org/jira/browse/PROTON-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Clifford Jansen updated PROTON-2397:
------------------------------------
Description:
Proton C and its associated bindings do not have consistent default client side
TLS configuration. Proton libraries will be changed on a per-language/binding
basis so that all clients verify the server's certificate and identifying name
by default, i.e. to use PN_SSL_VERIFY_PEER_NAME unless the application takes
steps to change the desired level of authentication.
This default behaviour is required for the Proton libraries to be compliant
with the TLS specification 1.3 (RFC 8446). Such compliance is obviously highly
desirable now and will become mandatory in the future.
C++ applications will not be affected (this is the existing default).
C, Python, Ruby and Go applications that fully configure their client
connections are also unaffected.
Python programs that use MESSAGING_CONNECT_FILE (or the connect.json
equivalent) are unaffected.
Proton applications that do not make outbound connections are unaffected.
All other applications may run into stricter verification policies that cause
previously successful TLS negotiations to now fail. These applications will
need to either:
- explicitly downgrade the verification mechanism of outgoing connections to
the old default (PN_SSL_ANONYMOUS_PEER)
- update server certificates and/or client trusted root CA's as required to
work in the full PN_SSL_VERIFY_PEER_NAME verification mode.
> Update default client TLS defaults for verifying outbound connections to AMQP
> servers.
> --------------------------------------------------------------------------------------
>
> Key: PROTON-2397
> URL: https://issues.apache.org/jira/browse/PROTON-2397
> Project: Qpid Proton
> Issue Type: Improvement
> Components: cpp-binding, go-binding, proton-c, python-binding,
> ruby-binding
> Affects Versions: proton-c-0.34.0
> Reporter: Clifford Jansen
> Assignee: Clifford Jansen
> Priority: Major
> Fix For: proton-c-0.35.0
>
>
> Proton C and its associated bindings do not have consistent default client
> side TLS configuration. Proton libraries will be changed on a
> per-language/binding basis so that all clients verify the server's
> certificate and identifying name by default, i.e. to use
> PN_SSL_VERIFY_PEER_NAME unless the application takes steps to change the
> desired level of authentication.
> This default behaviour is required for the Proton libraries to be compliant
> with the TLS specification 1.3 (RFC 8446). Such compliance is obviously
> highly desirable now and will become mandatory in the future.
> C++ applications will not be affected (this is the existing default).
> C, Python, Ruby and Go applications that fully configure their client
> connections are also unaffected.
> Python programs that use MESSAGING_CONNECT_FILE (or the connect.json
> equivalent) are unaffected.
> Proton applications that do not make outbound connections are unaffected.
> All other applications may run into stricter verification policies that cause
> previously successful TLS negotiations to now fail. These applications will
> need to either:
> - explicitly downgrade the verification mechanism of outgoing connections to
> the old default (PN_SSL_ANONYMOUS_PEER)
> - update server certificates and/or client trusted root CA's as required to
> work in the full PN_SSL_VERIFY_PEER_NAME verification mode.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
