New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AMQPS / TLS / SSL implementation is insecure #58

Open

grahamc opened this issue Sep 24, 2017 · 1 comment

Contributor

grahamc commented Sep 24, 2017

From the openssl rust docs:

OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL structures, configuring cipher suites, session options, hostname verification, and more.

OpenSSL's built in hostname verification is used when linking against OpenSSL 1.0.2 or 1.1.0, and a custom implementation is used when linking against OpenSSL 1.0.1.

It looks like you should be using the first example here: https://docs.rs/openssl/0.9.19/openssl/ssl/index.html#examples

I noticed this when I connected to my amqps server using the wrong hostname, and there was no certificate mismatch error.

grahamc mentioned this issue

Upgrade to OpenSSL 0.9.x #59

Closed

Shnatsel commented Jan 5, 2019 •

edited

Loading

There is even a RustSec advisory about OpenSSL prior to 0.9.x being vulnerable: https://rustsec.org/advisories/RUSTSEC-2016-0001.html

Is there any progress on this? If not, then at least the fact that SSL support is vulnerable and must not be used should be advertised in the README.

Shnatsel mentioned this issue

Upgrade to the latest openssl #75

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment