Bug 568661
| Summary: | JMS client does not verify that the hostname connected to matches that specified in the servers certificate | ||
|---|---|---|---|
| Product: | Red Hat Enterprise MRG | Reporter: | Gordon Sim <gsim> |
| Component: | qpid-java | Assignee: | Rajith Attapattu <rattapat+nobody> |
| Status: | CLOSED ERRATA | QA Contact: | Jiri Kolar <jkolar> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 1.2 | CC: | freznice, jkolar |
| Target Milestone: | 1.3 | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Previously, the JMS client succeeded in connecting to a broker whose certificate had a random string as its common name. With this update, an option (ssl_verify_hostname=['true'/'false']) is introduced that verifies that the CN matches the hostname it believes it has connected to, if it does not, an error is raised.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-10-14 16:10:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Gordon Sim
2010-02-26 10:00:39 UTC
This is tracked in upstream via https://issues.apache.org/jira/browse/QPID-2444 This is fixed by rev 925469 in Qpid trunk. SSLTest in the systests has a test case for this. In order to enable hostname verification, you need to use ssl_verify_hostname='true' in the broker URL. Ex "amqp://guest:guest@test/?brokerlist='tcp://<hostname>:5671?ssl='true'&ssl_verify_hostname='true''" fixed in qpid-java-client-0.7.946106-10.el5 mentioned test passes validated on RHEL5.5/RHEL 4.8 i386 / x86_64 packages: # rpm -qa | grep -E '(qpid|openais|rhm)' | sort -u openais-0.80.6-16.el5_5.7 openais-devel-0.80.6-16.el5_5.7 python-qpid-0.7.946106-14.el5 qpid-cpp-client-0.7.946106-17.el5 qpid-cpp-client-devel-0.7.946106-17.el5 qpid-cpp-client-devel-docs-0.7.946106-17.el5 qpid-cpp-client-ssl-0.7.946106-17.el5 qpid-cpp-mrg-debuginfo-0.7.946106-14.el5 qpid-cpp-server-0.7.946106-17.el5 qpid-cpp-server-cluster-0.7.946106-17.el5 qpid-cpp-server-devel-0.7.946106-17.el5 qpid-cpp-server-ssl-0.7.946106-17.el5 qpid-cpp-server-store-0.7.946106-17.el5 qpid-cpp-server-xml-0.7.946106-17.el5 qpid-java-client-0.7.946106-10.el5 qpid-java-common-0.7.946106-10.el5 qpid-tools-0.7.946106-11.el5 rhm-docs-0.7.946106-5.el5 rh-tests-distribution-MRG-Messaging-qpid_common-1.6-53 ->VERIFIED
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Previously, the JMS client succeeded in connecting to a broker whose certificate had a random string as its common name. With this update, an option (ssl_verify_hostname=['true'/'false']) is introduced that verifies that the CN matches the hostname it believes it has connected to, if it does not, an error is raised.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0773.html |