commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bogdan Drozdowski (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (NET-579) SSL/TLS SocketClients do not verify the hostname against the certificate
Date Sat, 22 Aug 2015 14:21:46 GMT

    [ https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14708046#comment-14708046
] 

Bogdan Drozdowski commented on NET-579:
---------------------------------------

The patch looks nice, but you can already achieve this functionality - you can always set
 your own TrustManager in the client instance, e.g. FTPSClient.setTrustManager(), or use a
custom SocketFactory.
This wouldn't require Java 7 by Commons-NET, would allow to set even more parameters than
these and enable any certificate validations you would wish. Sure, it's less convenient, because
you have to code more on the client side.
I'm not a Commons-NET developer, but I don't think I'd like such a change in the code. The
problem is that a certificate can be issued to a host name and thus connecting using an IP
address would fail or vice versa (a test certificate issued for an IP address inside some
local network, and clients connecting with hostnames by a local DNS).

> SSL/TLS SocketClients do not verify the hostname against the certificate
> ------------------------------------------------------------------------
>
>                 Key: NET-579
>                 URL: https://issues.apache.org/jira/browse/NET-579
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP, IMAP, POP3, SMTP
>    Affects Versions: 3.3
>         Environment: Java 1.7 (earlier versions cannot verify the hostname)
>            Reporter: Simon Arlott
>            Priority: Critical
>              Labels: security
>         Attachments: NET-579.patch
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the hostname of the
server against the certificate. This means that any valid certificate for any CA in the default
trust store will be accepted without error.
> SocketClient should be modified to store the hostname, and SMTPSClient/FTPSClient/IMAPSClient/POP3SClient
should use it when negotiating SSL/TLS.
> Java 1.7 has support for verifying the hostname if SSLParameters.setEndpointIdentificationAlgorithm("HTTPS")
is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message