Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate SQS SSL certs by default #2094

Merged
merged 1 commit into from
Aug 25, 2024
Merged

Validate SQS SSL certs by default #2094

merged 1 commit into from
Aug 25, 2024

Conversation

poundifdef
Copy link
Contributor

By default, Kombu does not validate SSL certs when connecting to SQS. As a result, when attempting to connect to a server which requires SNI, the connection fails: Server aborted the SSL handshake

Specifically, curl.py#L238 sets SSL_VERIFYHOST to 0 by default. This code has not been updated since it was originally merged 10 years ago.

curl's documentation says this:

Secure Transport: If verify value is 0, then SNI is also disabled. SNI is a TLS extension that sends the hostname to the server. The server may use that information to do such things as sending back a specific certificate for the hostname, or forwarding the request to a specific origin server. Some hostnames may be inaccessible if SNI is not sent.

Curl's default value for this is 2.

This only seems to cause issues on my MacOS laptop (M3, Sonoma 14.4.1). It works fine in Linux - it is possible that different systems will have different curl versions or behaviors. I'm running python 3.12.4 and tested with the latest Celery+Kombu from github.

@Nusnus Nusnus self-requested a review August 5, 2024 19:36
@Nusnus Nusnus force-pushed the sqs-default-verify-ssl branch from 4032578 to 186c769 Compare August 6, 2024 21:19
@Nusnus Nusnus requested a review from thedrow August 18, 2024 13:01
@thedrow thedrow merged commit 93d8ecb into celery:main Aug 25, 2024
16 checks passed
@Nusnus Nusnus mentioned this pull request Sep 13, 2024
Closed
ivanprjcts added a commit to ivanprjcts/kombu that referenced this pull request Sep 14, 2024
@ivanprjcts
Revert "Validate SSL certs by default (celery#2094)"
c47e206 
This reverts commit 93d8ecb.
Nusnus added a commit that referenced this pull request Sep 14, 2024
@Nusnus
Revert "Validate SSL certs by default (#2094)"
9d7f338 
This reverts commit 93d8ecb.
@Nusnus Nusnus mentioned this pull request Sep 14, 2024
Merged
Nusnus added a commit that referenced this pull request Sep 16, 2024
@Nusnus
Revert "Validate SSL certs by default (#2094)" (#2114)
a626f1f 
This reverts commit 93d8ecb.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Nusnus Nusnus Awaiting requested review from Nusnus

Assignees
No one assigned
Labels
Component: Amazon SQS Broker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@poundifdef @auvipy