diff --git a/CHANGELOG.md b/CHANGELOG.md index 42592a699..e3049b58e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ (PR#2408 and PR#2414 by Jan Kaliszewski). - `intelmq.lib.upgrades`: Replace deprecated instances of `url2fqdn` experts by the new `url` expert in runtime configuration (PR#2432 by Sebastian Wagner). - `intelmq.lib.bot`: Ensure closing log files on reloading (PR#2435 by Kamil Mankowski). +- AMQP Pipeline: fix SSL context to pointing to create a client-side connection that verifies the server (PR by Kamil Mankowski). ### Development - Makefile: Add codespell and test commands (PR#2425 by Sebastian Wagner). @@ -61,6 +62,7 @@ - Remove undocumented and unused attributes of `StompCollectorBot` instances: `ssl_ca_cert`, `ssl_cl_cert`, `ssl_cl_cert_key`. - Minor fixes/improvements and some refactoring (see also above: *Core*...). +- `intelmq.bots.collectors.amqp`: fix SSL context to pointing to create a client-side connection that verifies the server (PR by Kamil Mankowski). #### Parsers - `intelmq.bots.parsers.netlab_360.parser`: Removed as the feed is discontinued. (#2442 by Filip Pokorný) @@ -93,6 +95,7 @@ - Try to reconnect on `NotConnectedException`. - `intelmq.bots.outputs.smtp_batch.output` (PR #2439 by Edvard Rejthar): - Fix ability to send with the default `bcc` +- `intelmq.bots.outputs.amqp`: fix SSL context to pointing to create a client-side connection that verifies the server (PR by Kamil Mankowski). ### Documentation - Add a readthedocs configuration file to fix the build fail (PR#2403 by Sebastian Wagner). @@ -165,7 +168,7 @@ #### Parsers - `intelmq.bots.parsers.shadowserver._config`: - Reset detected `feedname` at shutdown to re-detect the feedname on reloads (PR#2361 by @elsif2, fixes #2360). - - Switch to dynamic configuration to decouple report schema changes from IntelMQ releases. + - Switch to dynamic configuration to decouple report schema changes from IntelMQ releases. - Added 'IPv6-Vulnerable-Exchange' alias and 'Accessible-WS-Discovery-Service' report. (PR#2338) - Removed unused `p0f_genre` and `p0f_detail` from the 'DNS-Open-Resolvers' report. (PR#2338) - Added 'Accessible-SIP' report. (PR#2348) diff --git a/intelmq/bots/collectors/amqp/collector_amqp.py b/intelmq/bots/collectors/amqp/collector_amqp.py index 543f4e0be..291aa1ecf 100644 --- a/intelmq/bots/collectors/amqp/collector_amqp.py +++ b/intelmq/bots/collectors/amqp/collector_amqp.py @@ -55,7 +55,7 @@ def init(self): self.password) if self.use_ssl: - self.kwargs['ssl_options'] = pika.SSLOptions(context=ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)) + self.kwargs['ssl_options'] = pika.SSLOptions(context=ssl.create_default_context(ssl.Purpose.SERVER_AUTH)) self.connection_parameters = pika.ConnectionParameters( host=self.connection_host, diff --git a/intelmq/bots/outputs/amqptopic/output.py b/intelmq/bots/outputs/amqptopic/output.py index 68d1c366b..03c0faba5 100644 --- a/intelmq/bots/outputs/amqptopic/output.py +++ b/intelmq/bots/outputs/amqptopic/output.py @@ -64,7 +64,7 @@ def init(self): self.password) if self.use_ssl: - self.kwargs['ssl_options'] = pika.SSLOptions(context=ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)) + self.kwargs['ssl_options'] = pika.SSLOptions(context=ssl.create_default_context(ssl.Purpose.SERVER_AUTH)) self.connection_parameters = pika.ConnectionParameters( host=self.connection_host, diff --git a/intelmq/lib/pipeline.py b/intelmq/lib/pipeline.py index 8d307cad1..2cf36f023 100644 --- a/intelmq/lib/pipeline.py +++ b/intelmq/lib/pipeline.py @@ -530,7 +530,7 @@ def load_configurations(self, queues_type): if self.username and self.password: self.kwargs['credentials'] = pika.PlainCredentials(self.username, self.password) if self.ssl: - self.kwargs['ssl_options'] = pika.SSLOptions(context=ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)) + self.kwargs['ssl_options'] = pika.SSLOptions(context=ssl.create_default_context(ssl.Purpose.SERVER_AUTH)) pika_version = tuple(int(x) for x in pika.__version__.split('.')) if pika_version < (0, 11): self.kwargs['heartbeat_interval'] = 10