| Summary: | Posibility to disable the SSL hostname verification in C++ Linux clients | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Pavel Moravec <pmoravec> | |
| Component: | qpid-cpp | Assignee: | Gordon Sim <gsim> | |
| Status: | CLOSED ERRATA | QA Contact: | Zdenek Kraus <zkraus> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 2.3 | CC: | esammons, freznice, gsim, jross, pmoravec, rrajasek, sauchter, zkraus | |
| Target Milestone: | 3.1 | Keywords: | FutureFeature, Triaged | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | qpid-cpp-0.30-2 | Doc Type: | Enhancement | |
| Doc Text: |
It is now possible to disable hostname verification when connecting over SSL. In some circumstances, the certificate in use does not match the hostname used, yet there is no concern over spoofing due to other network controls. Disabling the verification performed by the qpid::messaging client is convenient in this circumstance. If a connection option 'ignore_ssl_hostname_verification_failure' is set to True, then when establishing an ssl connection, the client will not attempt to verify that the hostname of the server matches that included in the certificate.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1112850 (view as bug list) | Environment: | ||
| Last Closed: | 2015-04-14 13:47:04 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1112850 | |||
|
Comment 1
Justin Ross
2013-10-10 15:51:40 UTC
*** Bug 1017739 has been marked as a duplicate of this bug. *** (In reply to Justin Ross from comment #1) > Pavel, is bug 1017739 a duplicate? Yes, already closed. Lesson learned: Never click to "back" button during filing BZ, even though the BZ has not been created yet so far (and even though bugzilla suggests to do so). Gordon, do you have any ideas for Pavel? Suggested fix: https://reviews.apache.org/r/22890/ Fixed upstream for linux/NSS (https://svn.apache.org/r1605127). I have created separate upstream JIRA to track the equivalent option on windows. Do we want to track that as a separate BZ also, or have this one track the option on all supported platforms? A separate bz, please. It may have a different priority on Windows. (In reply to Gordon Sim from comment #7) > Fixed upstream for linux/NSS (https://svn.apache.org/r1605127). > > I have created separate upstream JIRA to track the equivalent option on > windows. Do we want to track that as a separate BZ also, or have this one > track the option on all supported platforms? this was tested on RHEL 6.6 i686 and x86_64 with following packages: python-qpid-0.30-3 python-qpid-qmf-0.30-3 qpid-cpp-client-0.30-5 qpid-cpp-client-devel-0.30-5 qpid-cpp-client-rdma-0.30-5 qpid-cpp-debuginfo-0.30-5 qpid-cpp-server-0.30-5 qpid-cpp-server-devel-0.30-5 qpid-cpp-server-ha-0.30-5 qpid-cpp-server-linearstore-0.30-5 qpid-cpp-server-rdma-0.30-5 qpid-cpp-server-xml-0.30-5 qpid-java-client-0.30-3 qpid-java-common-0.30-3 qpid-java-example-0.30-3 qpid-jca-0.22-2 qpid-jca-xarecovery-0.22-2 qpid-proton-c-0.7-4 qpid-qmf-0.30-3 qpid-tools-0.30-3 feature works as expected. -> VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0805.html |