Red Hat Bugzilla – Bug 928530
CVE-2013-1909 python-qpid: client does not validate qpid server TLS/SSL certificate
Last modified: 2015-06-21 20:08:55 EDT
Multiple security flaws were found in the QPID Python's SSL certificate validation code. Details:
While the QPID client connection API allows for a list of Certificate Authority certificates to be provided when connecting, if the remote certificate does not validate against the CA certs, the client connection will continue. This is due in part to the python SSL library not validating certificates supplied by the remote system unless the CERT_REQUIRED flag is set when making the connection  (the QPID python client code does not set this flag). However, this is only valid on systems using a version of python >= 2.6; on earlier versions of Python the CAs parameter is simply ignored  (see ssl() section).
Also, the QPID python client does not check the CN or SubjectAltName from the peer's certificate against the FQDN of the destination. This could allow an attacker to masquerade as the desired peer simply by providing any certificate that is signed by a trusted CA.
In the case of python 2.6+ (which is everything with the exception of MRG on Red Hat Enterprise Linux 5), the QPID python client code should set the CERT_REQUIRED flag if the application provides a CA list. If the certificate is valid, the CN/SAN should be checked against the destination FQDN. If either fails, the connection attempt should likewise fail. In the case of MRG on Red Hat Enterprise Linux 5 (due to the use of Python 2.4.3), since there is no way to validate the peer certificate, the application should fail with an appropriate error message if a CA list is provided (and perhaps document that it is not possible to do certificate verification on this platform).
This issue was discovered by Petr Matousek of the Red Hat MRG Messaging
This python bug #928390 needs to be fixed in RHEL6 before we can fix this properly.
A CVE has been assigned for this issue: CVE-2013-1909
Created python-qpid tracking bugs for this issue
Affects: fedora-all [bug 974610]
This issue has been addressed in following products:
MRG for RHEL-6 v.2
Via RHSA-2013:1024 https://rhn.redhat.com/errata/RHSA-2013-1024.html
python-qpid 0.24 is in all versions of Fedora, so this has been fixed there.