[
https://issues.apache.org/jira/browse/PROTON-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504844#comment-13504844
]
Affan Dar commented on PROTON-161:
----------------------------------
I think that works fine.
I.e, these three modes for hostname verification should cover most of the cases
IMO: none, exact (subjectAltName or commonName must match the destination
hostname) or custom (user provides hostname to match, hostname might contain
wildcards).
> SSL impl does not allow verification of the peer's identity
> -----------------------------------------------------------
>
> Key: PROTON-161
> URL: https://issues.apache.org/jira/browse/PROTON-161
> Project: Qpid Proton
> Issue Type: Bug
> Components: proton-c
> Affects Versions: 0.3
> Reporter: Ken Giusti
> Assignee: Ken Giusti
> Priority: Blocker
>
> The current SSL implementation validates the peer's certificate, and will not
> permit the connection to come up if the certificate is invalid.
> However - it does not provide a way to check if the peer's identity as
> provided in the certificate is the expected identity (eg, the same hostname
> used to set up the TCP connection). While a certificate may be valid (that
> is, signed by a CA trusted by the client), it may not belong to the intended
> destination.
> RFC2818 explains how this should be done - see section 3.1 Server Identity.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
