From d7dc541a4ed325548571b7aed4bbc8175dd3bf4b Mon Sep 17 00:00:00 2001 From: Ganesh Murthy Date: Mon, 11 Jul 2016 12:42:05 -0400 Subject: [PATCH] DISPATCH-401 - Made qdstat and qdmanage verify peer name by default. Added new option --ssl-disable-peer-name-verify to disable peer name verification --- .../qpid_dispatch_internal/tools/command.py | 19 ++++++++++++++++--- tests/system_tests_qdmanage.py | 3 ++- tests/system_tests_qdstat.py | 5 ++++- tests/system_tests_sasl_plain.py | 1 + 4 files changed, 23 insertions(+), 5 deletions(-) diff --git a/python/qpid_dispatch_internal/tools/command.py b/python/qpid_dispatch_internal/tools/command.py index 65ef3ccfb4..ff24123b48 100644 --- a/python/qpid_dispatch_internal/tools/command.py +++ b/python/qpid_dispatch_internal/tools/command.py @@ -96,6 +96,9 @@ def connection_options(options, title="Connection Options"): # Use the --sasl-password-file option to avoid having the --sasl-password in history or scripts. group.add_option("--sasl-password-file", action="store", type="string", metavar="SASL-PASSWORD-FILE", help="Password for SASL plain authentication") + group.add_option("--ssl-disable-peer-name-verify", action="store_true", default=False, + help="Disables SSL peer name verification. WARNING - This option is insecure and must not be used " + "in production environments") return group @@ -139,8 +142,13 @@ def opts_ssl_domain(opts, mode=SSLDomain.MODE_CLIENT): """Return proton.SSLDomain from command line options or None if no SSL options specified. @param opts: Parsed optoins including connection_options() """ - certificate, key, trustfile, password, password_file = opts.ssl_certificate, opts.ssl_key, opts.ssl_trustfile, \ - opts.ssl_password, opts.ssl_password_file + + certificate, key, trustfile, password, password_file, ssl_disable_peer_name_verify = opts.ssl_certificate,\ + opts.ssl_key,\ + opts.ssl_trustfile,\ + opts.ssl_password,\ + opts.ssl_password_file, \ + opts.ssl_disable_peer_name_verify if not (certificate or trustfile): return None @@ -149,9 +157,14 @@ def opts_ssl_domain(opts, mode=SSLDomain.MODE_CLIENT): password = get_password(password_file) domain = SSLDomain(mode) + if trustfile: domain.set_trusted_ca_db(str(trustfile)) - domain.set_peer_authentication(SSLDomain.VERIFY_PEER, str(trustfile)) + if ssl_disable_peer_name_verify: + domain.set_peer_authentication(SSLDomain.VERIFY_PEER, str(trustfile)) + else: + domain.set_peer_authentication(SSLDomain.VERIFY_PEER_NAME, str(trustfile)) + if certificate: domain.set_credentials(str(certificate), str(key), str(password)) return domain diff --git a/tests/system_tests_qdmanage.py b/tests/system_tests_qdmanage.py index 753507c81b..adcbe666f5 100644 --- a/tests/system_tests_qdmanage.py +++ b/tests/system_tests_qdmanage.py @@ -328,7 +328,8 @@ def run_qdmanage(self, cmd, input=None, expect=Process.EXIT_OK, address=None): '--ssl-certificate=' + self.ssl_file('client-certificate.pem'), '--ssl-key=' + self.ssl_file('client-private-key.pem'), '--ssl-password=client-password', - '--timeout', str(TIMEOUT)], + '--timeout', str(TIMEOUT), + '--ssl-disable-peer-name-verify'], stdin=PIPE, stdout=PIPE, stderr=STDOUT, expect=expect) out = p.communicate(input)[0] try: diff --git a/tests/system_tests_qdstat.py b/tests/system_tests_qdstat.py index ead0b0d01a..45b5ab6258 100644 --- a/tests/system_tests_qdstat.py +++ b/tests/system_tests_qdstat.py @@ -39,6 +39,7 @@ def run_qdstat(self, args, regexp=None, address=None): p = self.popen( ['qdstat', '--bus', str(address or self.router.addresses[0]), '--timeout', str(system_test.TIMEOUT) ] + args, name='qdstat-'+self.id(), stdout=PIPE, expect=None) + out = p.communicate()[0] assert p.returncode == 0, \ "qdstat exit status %s, output:\n%s" % (p.returncode, out) @@ -114,8 +115,10 @@ def setUpClass(cls): def run_qdstat(self, args, regexp=None, address=None): p = self.popen( - ['qdstat', '--bus', str(address or self.router.addresses[0]), '--timeout', str(system_test.TIMEOUT) ] + args, + ['qdstat', '--bus', str(address or self.router.addresses[0]), '--ssl-disable-peer-name-verify', + '--timeout', str(system_test.TIMEOUT) ] + args, name='qdstat-'+self.id(), stdout=PIPE, expect=None) + out = p.communicate()[0] assert p.returncode == 0, \ "qdstat exit status %s, output:\n%s" % (p.returncode, out) diff --git a/tests/system_tests_sasl_plain.py b/tests/system_tests_sasl_plain.py index e09c69b635..7da5ca7aa6 100644 --- a/tests/system_tests_sasl_plain.py +++ b/tests/system_tests_sasl_plain.py @@ -258,6 +258,7 @@ def test_aaa_qdstat_connect_sasl_over_ssl(self): '--sasl-username=test@domain.com', '--sasl-password=password', # The following are SSL args + '--ssl-disable-peer-name-verify', '--ssl-trustfile=' + self.ssl_file('ca-certificate.pem'), '--ssl-certificate=' + self.ssl_file('client-certificate.pem'), '--ssl-key=' + self.ssl_file('client-private-key.pem'),