[ https://issues.apache.org/jira/browse/PROTON-161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504844#comment-13504844 ]
Affan Dar commented on PROTON-161: ---------------------------------- I think that works fine. I.e, these three modes for hostname verification should cover most of the cases IMO: none, exact (subjectAltName or commonName must match the destination hostname) or custom (user provides hostname to match, hostname might contain wildcards). > SSL impl does not allow verification of the peer's identity > ----------------------------------------------------------- > > Key: PROTON-161 > URL: https://issues.apache.org/jira/browse/PROTON-161 > Project: Qpid Proton > Issue Type: Bug > Components: proton-c > Affects Versions: 0.3 > Reporter: Ken Giusti > Assignee: Ken Giusti > Priority: Blocker > > The current SSL implementation validates the peer's certificate, and will not > permit the connection to come up if the certificate is invalid. > However - it does not provide a way to check if the peer's identity as > provided in the certificate is the expected identity (eg, the same hostname > used to set up the TCP connection). While a certificate may be valid (that > is, signed by a CA trusted by the client), it may not belong to the intended > destination. > RFC2818 explains how this should be done - see section 3.1 Server Identity. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira