rust-amqp icon indicating copy to clipboard operation
rust-amqp copied to clipboard

Published 20 hours ago verified publisher icon Antti

AMQPS / TLS / SSL implementation is insecure

Open grahamc opened this issue 7 years ago • 1 comments

From the openssl rust docs:

OpenSSL's default configuration is highly insecure. This connector manages the OpenSSL structures, configuring cipher suites, session options, hostname verification, and more.

OpenSSL's built in hostname verification is used when linking against OpenSSL 1.0.2 or 1.1.0, and a custom implementation is used when linking against OpenSSL 1.0.1.

It looks like you should be using the first example here: https://docs.rs/openssl/0.9.19/openssl/ssl/index.html#examples

I noticed this when I connected to my amqps server using the wrong hostname, and there was no certificate mismatch error.

grahamc avatar Sep 24 '17 11:09 grahamc

There is even a RustSec advisory about OpenSSL prior to 0.9.x being vulnerable: https://rustsec.org/advisories/RUSTSEC-2016-0001.html

Is there any progress on this? If not, then at least the fact that SSL support is vulnerable and must not be used should be advertised in the README.

Shnatsel avatar Jan 05 '19 21:01 Shnatsel