Aki Sukegawa created THRIFT-3599: ------------------------------------ Summary: Validate client IP address against cert's SubjectAltName Key: THRIFT-3599 URL: https://issues.apache.org/jira/browse/THRIFT-3599 Project: Thrift Issue Type: Bug Components: Python - Library Reporter: Aki Sukegawa Assignee: Aki Sukegawa Priority: Critical
After THRIFT-3505, python TSSLSocket has client cert support but does not perform any hostname matching. That means clients can submit any certificate that is unrelated to them and the server side only check if the cert is in their CA. It is in a sense worse than nothing as it can introduce false sense of security. -- This message was sent by Atlassian JIRA (v6.3.4#6332)