Multiple security flaws were found in the QPID Python's SSL certificate validation code. Details:

While the QPID client connection API allows for a list of Certificate Authority certificates to be provided when connecting, if the remote certificate does not validate against the CA certs, the client connection will continue.  This is due in part to the python SSL library not validating certificates supplied by the remote system unless the CERT_REQUIRED flag is set when making the connection [1] (the QPID python client code does not set this flag).  However, this is only valid on systems using a version of python >= 2.6; on earlier versions of Python the CAs parameter is simply ignored [2] (see ssl() section).

Also, the QPID python client does not check the CN or SubjectAltName from the peer's certificate against the FQDN of the destination.  This could allow an attacker to masquerade as the desired peer simply by providing any certificate that is signed by a trusted CA.

In the case of python 2.6+ (which is everything with the exception of MRG on Red Hat Enterprise Linux 5), the QPID python client code should set the CERT_REQUIRED flag if the application provides a CA list.  If the certificate is valid, the CN/SAN should be checked against the destination FQDN.  If either fails, the connection attempt should likewise fail.  In the case of MRG on Red Hat Enterprise Linux 5 (due to the use of Python 2.4.3), since there is no way to validate the peer certificate, the application should fail with an appropriate error message if a CA list is provided (and perhaps document that it is not possible to do certificate verification on this platform).


[1] http://docs.python.org/2/library/ssl.html
[2] http://docs.python.org/release/2.5.4/lib/module-socket.html