-
Notifications
You must be signed in to change notification settings - Fork 839
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS/SSL support is vulnerable to MITM attacks #464
Comments
#1 is something that's up to the user of the client library to do. The goal is to be non-opinionated in SSL use. You basically have the full set of SSL socket options available to you. Perhaps an example of pika with SSL using these options would be helpful in the docs? |
I would argue that optional support for 2) is required in core, because it is too cumbersome to override this logic. Would it be to opinionated to have hostname check in place if "cert_reqs" is set as in part 1) ? Python 2.x can be supported using https://pypi.python.org/pypi/backports.ssl_match_hostname I can make a pull request for this change if needed. |
@vitaly-krugl Any comment on this? |
@kherrala, I will need to wrap my brain around SSL once again, before I can answer your question. Another area that pika probably doesn't support is ssl renegotiation, as pointed out in #703. https://github.com/openwebos/libpalmsocket may be a good algorithmic reference for re-handshakes, etc. I rewrote libpalmsocket a while back, adding support for SSL renegotiation, certificates, and workarounds for a number of OpenSSL bugs. |
@vitaly-krugl I have released some of the SSL patches we are currently running in production on hundreds of clients with some times poor connectivity. They can be found from my fork in master branch. These are essentially the same changes as in my previous pull request #501. Unfortunately I don't have the time to verify them on current master but they are working fine on my original fork based on Pika 0.9.14. Maybe this can be useful for you if you are intending to fix this? From my second patch it should be obvious that MITM protection cannot be implemented using ssl_options or the current API. I haven't looked at SSL renegotiations, but they don't seem to be a problem for us. I believe they are handled using Python socket wrapper and standard event processing automatically? |
@gmr, would enabling the user to pass a callback to perform whatever certificate validation the user code deems necessary eliminate the issue of introducing opinionated code in pika core? The callback would be called upon completion of ssl handshake, and would have access to SSLContext. From my past work on what is now https://github.com/openwebos/libpalmsocket, I recall apps needing a feature of this kind, as the type of validation sometimes differed from app to app. I also recall apps needing to save and reuse ssl contexts in order to speed-up SSL connection establishment a lot. |
I don't see why anyone would like to override certificate name validation in HTTP clients so why would it be required here? See for example sane default behaviour found here: https://github.com/shazow/urllib3/blob/master/urllib3/connection.py In my opinion every TLS client library should do these check at the least. This kind of MITM vulnerability would be found in a normal security audit very easily. Another rather more opinionated suggestion is to depend on certifi (http://certifiio.readthedocs.org/en/latest/) used by the requests library. |
@gmr, I would like to reopen this issue. I think that pika needs to provide a mechanism to enable users to configure I took a look at the builtin ssl.py, and see that it supplies a convenience public API function for creating contexts that represent recommended practices:
If pika were to support There are additional security measures that
|
Hi @gmr, I reopened this issue to keep it on our radar per rationale in #464 (comment). I think there are changes that we can make, which would not be opinionated. |
Also, see https://www.rabbitmq.com/ssl.html
|
- ``ssl.PROTOCOL_TLSv1`` is now deprecated (https://docs.python.org/3/library/ssl.html#ssl.PROTOCOL_TLSv1), ``ssl.PROTOCOL_TLS`` should be preferred, which is used by ``ssl.create_default_context`` among other other parameters which provide a higher security level (https://docs.python.org/3/library/ssl.html#ssl.create_default_context); - checking server hostnames prevents man in the middle attacks (pika#464); - RabbitMQ 3.7.0 introduced a new systemctl syntax for rabbitmq.conf (https://www.rabbitmq.com/configure.html#config-file).
Note that pika is now python 2.7 + and python 2.7.9 has |
cc @tiran I am closing this issue because the code in pika master now allows the application to control all the SSL features called out in the description of this issue. In pika master targeting pika v1.0.0 release, the connection parameters support passing
|
I opened issue #1035 to make sure we have adequate test coverage for these scenarios. |
Pika's TLS/SSL code accepts all X.509 certificate because it doesn't verify the peer's cert at all. As consequence of this pika is vulnerable to all active attacks like man-in-the-middle attacks. An adversary can use self-signed certificate to listen to or modify all AMQP traffic. TLS without proper cert validation cancels all security of TLS.
In order to verify the peer you have to do two things:
Check that the leaf certificate is signed by a trusted root certification authority. "cert_reqs=ssl.CERT_REQUIRED" enables the check. Trusted root CA certs must be loaded first.
Verify that the common name (CN) or subject alternative name (SAN) DNS names matches the peer's FQDN. Python 3.x has ssl.match_hostname().
Both checks MUST be performed in order to validate the certificate correctly.
The text was updated successfully, but these errors were encountered: