Bug 1017743 - Posibility to disable the SSL hostname verification in C++ Linux clients
Summary: Posibility to disable the SSL hostname verification in C++ Linux clients
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: qpid-cpp
Version: 2.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: 3.1
: ---
Assignee: Gordon Sim
QA Contact: Zdenek Kraus
URL:
Whiteboard:
: 1017739 (view as bug list)
Depends On:
Blocks: 1112850
TreeView+ depends on / blocked
 
Reported: 2013-10-10 12:28 UTC by Pavel Moravec
Modified: 2019-08-15 03:41 UTC (History)
8 users (show)

Fixed In Version: qpid-cpp-0.30-2
Doc Type: Enhancement
Doc Text:
It is now possible to disable hostname verification when connecting over SSL. In some circumstances, the certificate in use does not match the hostname used, yet there is no concern over spoofing due to other network controls. Disabling the verification performed by the qpid::messaging client is convenient in this circumstance. If a connection option 'ignore_ssl_hostname_verification_failure' is set to True, then when establishing an ssl connection, the client will not attempt to verify that the hostname of the server matches that included in the certificate.
Clone Of:
: 1112850 (view as bug list)
Environment:
Last Closed: 2015-04-14 13:47:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Apache JIRA QPID-5841 None None None Never
Red Hat Product Errata RHEA-2015:0805 normal SHIPPED_LIVE Red Hat Enterprise MRG Messaging 3.1 Release 2015-04-14 17:45:54 UTC

Comment 1 Justin Ross 2013-10-10 15:51:40 UTC
Pavel, is bug 1017739 a duplicate?

Comment 2 Pavel Moravec 2013-10-10 16:29:49 UTC
*** Bug 1017739 has been marked as a duplicate of this bug. ***

Comment 3 Pavel Moravec 2013-10-10 16:32:43 UTC
(In reply to Justin Ross from comment #1)
> Pavel, is bug 1017739 a duplicate?

Yes, already closed.

Lesson learned: Never click to "back" button during filing BZ, even though the BZ has not been created yet so far (and even though bugzilla suggests to do so).

Comment 5 Justin Ross 2014-06-23 18:22:04 UTC
Gordon, do you have any ideas for Pavel?

Comment 6 Gordon Sim 2014-06-23 21:04:15 UTC
Suggested fix: https://reviews.apache.org/r/22890/

Comment 7 Gordon Sim 2014-06-24 16:21:56 UTC
Fixed upstream for linux/NSS (https://svn.apache.org/r1605127).

I have created separate upstream JIRA to track the equivalent option on windows. Do we want to track that as a separate BZ also, or have this one track the option on all supported platforms?

Comment 8 Justin Ross 2014-06-24 17:18:56 UTC
A separate bz, please.  It may have a different priority on Windows.

(In reply to Gordon Sim from comment #7)
> Fixed upstream for linux/NSS (https://svn.apache.org/r1605127).
> 
> I have created separate upstream JIRA to track the equivalent option on
> windows. Do we want to track that as a separate BZ also, or have this one
> track the option on all supported platforms?

Comment 10 Zdenek Kraus 2015-01-13 22:11:11 UTC
this was tested on RHEL 6.6 i686 and x86_64 with following packages:
python-qpid-0.30-3
python-qpid-qmf-0.30-3
qpid-cpp-client-0.30-5
qpid-cpp-client-devel-0.30-5
qpid-cpp-client-rdma-0.30-5
qpid-cpp-debuginfo-0.30-5
qpid-cpp-server-0.30-5
qpid-cpp-server-devel-0.30-5
qpid-cpp-server-ha-0.30-5
qpid-cpp-server-linearstore-0.30-5
qpid-cpp-server-rdma-0.30-5
qpid-cpp-server-xml-0.30-5
qpid-java-client-0.30-3
qpid-java-common-0.30-3
qpid-java-example-0.30-3
qpid-jca-0.22-2
qpid-jca-xarecovery-0.22-2
qpid-proton-c-0.7-4
qpid-qmf-0.30-3
qpid-tools-0.30-3

feature works as expected.
-> VERIFIED

Comment 15 errata-xmlrpc 2015-04-14 13:47:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-0805.html


Note You need to log in before you can comment on or make changes to this bug.