Bug 885167
Summary: | ssl client shall validate server's certificate | |||
---|---|---|---|---|
Product: | Red Hat Enterprise MRG | Reporter: | Petr Matousek <pematous> | |
Component: | python-qpid | Assignee: | Ken Giusti <kgiusti> | |
Status: | CLOSED ERRATA | QA Contact: | Petr Matousek <pematous> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | Development | CC: | jross, jwulf, kgiusti, lzhaldyb, mcressma, tmckay | |
Target Milestone: | 2.3.3 | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | python-qpid-0.18-5 | Doc Type: | Bug Fix | |
Doc Text: |
Cause: When the python client is configured to use an SSL connection, a Certificate Authority can be configured to verify the remote's credentials (certificate). A bug in the configuration process allowed the SSL connection to succeed without the CA verification being performed.
Consequence: The remote's certificate was never checked. This is a security issue as the remote's authenticity is unknown, yet the secure connection is allowed.
Fix: The python client was modified to require that the remote's certificate be validated against the configured CA, and that the certificate contains the correct name of the remote in order for the connection to succeed.
Result: The connection will only succeed if the remote is verified and authenticated.
|
Story Points: | --- | |
Clone Of: | ||||
: | 973693 (view as bug list) | Environment: | ||
Last Closed: | 2013-07-11 13:36:36 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 965441, 1038004 | |||
Bug Blocks: | 973693 |
Description
Petr Matousek
2012-12-07 16:27:33 UTC
Ken, please assess. *** Bug 790863 has been marked as a duplicate of this bug. *** Marking POST, as the certificate validation was fixed by patch for this BZ: https://bugzilla.redhat.com/show_bug.cgi?id=885173 This issue was tested and seems to work properly. -> Waiting for doc, please see bug 965441 The connection server's certificate validation against the chain of trust was implemented, although there are some caveats: The validation is done only on RHEL6 and must be demanded by 'ssl_trustfile' connection options. -> VERIFIED Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1023.html |