commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simon Arlott (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (NET-579) SSL/TLS SocketClients do not verify the hostname against the certificate
Date Sat, 22 Aug 2015 09:25:45 GMT

     [ https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Simon Arlott updated NET-579:
-----------------------------
    Attachment:     (was: NET-579.patch)

> SSL/TLS SocketClients do not verify the hostname against the certificate
> ------------------------------------------------------------------------
>
>                 Key: NET-579
>                 URL: https://issues.apache.org/jira/browse/NET-579
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP, IMAP, POP3, SMTP
>    Affects Versions: 3.3
>         Environment: Java 1.7 (earlier versions cannot verify the hostname)
>            Reporter: Simon Arlott
>            Priority: Critical
>              Labels: security
>         Attachments: NET-579.patch
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the hostname of the
server against the certificate. This means that any valid certificate for any CA in the default
trust store will be accepted without error.
> SocketClient should be modified to store the hostname, and SMTPSClient/FTPSClient/IMAPSClient/POP3SClient
should use it when negotiating SSL/TLS.
> Java 1.7 has support for verifying the hostname if SSLParameters.setEndpointIdentificationAlgorithm("HTTPS")
is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message