Bug 1038586
Summary: | Python client SSL authentication passes when "ssl_skip_hostname_check" is "false" and "ssl_trustfile" is not given | ||
---|---|---|---|
Product: | Red Hat Enterprise MRG | Reporter: | Petra Svobodová <psvobodo> |
Component: | python-qpid | Assignee: | Ernie <eallen> |
Status: | CLOSED ERRATA | QA Contact: | Petra Svobodová <psvobodo> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | Development | CC: | esammons, jross, kgiusti, pematous, zkraus |
Target Milestone: | 3.1 | Keywords: | Patch, Reproducer |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | python-qpid-0.30-2 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-04-14 13:47:13 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
Petra Svobodová
2013-12-05 12:26:16 UTC
Created attachment 833118 [details]
bz reproducer
Try to send a message:
./spout.py --broker <hostname>:5671 --connection-options "{ username : 'guest', ssl_certfile : <path_to_client.pem>, protocol : 'amqp0-10', sasl_mechanisms : 'DIGEST-MD5', ssl_skip_hostname_check : 'false', password : 'guest', transport : 'ssl' }" --count 1 "amq.topic;{}"
Ken, please assess. According to the python docs: "The parameter cert_reqs specifies whether a certificate is required from the other side of the connection, and whether it will be validated if provided. It must be one of the three values CERT_NONE (certificates ignored), CERT_OPTIONAL (not required, but validated if provided), or CERT_REQUIRED (required and validated). If the value of this parameter is not CERT_NONE, then the ca_certs parameter [our ssl_trustfile parameter] must point to a file of CA certificates." We support only CERT_NONE (if no ssl_trustfile given) or CERT_REQUIRED (ssl_trustfile given). CERT_OPTIONAL is a security risk, and is not used. So our python client only receives the cert containing a hostname if ssl_trustfile is given. In other words, if ssl_trustfile is not given, then there will not be a hostname available to validate. But the behavior as described above can be confusing. Perhaps a warning should be logged if a user does not supply an ssl_trustfile and explicitly states "skip_hostname_check" == False (as opposed to not providing the parameter - as the default is _False_ anyways) As far a security is concerned: if no ssl_trustfile is given, checking the hostname would provide a false sense of security. Without a valid ssl_trustfile, nothing can be securely verified. Created attachment 917919 [details]
Assume if skip_hostname_check is set to false, user wants ssl
Proposed patch. If the user has explicitly set the skip_hostname_check flag to false, assume they want a secure connection.
If the trustfile is not also given, then a "qpid.messaging.exceptions.ConnectError: [Errno 111] Connection refused" is raised.
Ken, can you review the attached patch. If you concur that we should raise an exception when skip_hostname_check is explicitly set to false and no trustfile is given, then can you commit the patch upstream per Justin's request? Created attachment 918475 [details]
Distinguish between the default value of ssl_skip_hostname_check and manually setting the value to false
New patch that only raises an exception if the user explicitly sets the flag, as opposed to the flag getting the default value.
Qpid python client requires to have a path to the certification authority's certificate and tries to verify the server certificate before connecting the broker, if "ssl_skip_hostname_check" was set to "false" value. Verified on Rhel6.6-i686 and x86_64 on package python-qpid-0.30-3. --> VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-0805.html |