commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Simon Arlott (JIRA)" <>
Subject [jira] [Updated] (NET-579) SSL/TLS SocketClients do not verify the hostname against the certificate
Date Sun, 23 Aug 2015 22:36:45 GMT


Simon Arlott updated NET-579:
    Attachment: NET-579_2.patch

This patch adds setEndpointCheckingEnabled() for use with Java 1.7+ and setHostnameVerifier()
for use with older JVMs and Android.

It's not enabled by default, primarily because the default implementation of HostnameVerifier
that Java provides always returns false...

> SSL/TLS SocketClients do not verify the hostname against the certificate
> ------------------------------------------------------------------------
>                 Key: NET-579
>                 URL:
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP, IMAP, POP3, SMTP
>    Affects Versions: 3.3
>         Environment: Java 1.7 (earlier versions cannot verify the hostname)
>            Reporter: Simon Arlott
>            Priority: Critical
>              Labels: security
>         Attachments: NET-579.patch, NET-579_2.patch
>   Original Estimate: 2h
>  Remaining Estimate: 2h
> Every subclass of SocketClient that does SSL/TLS will never verify the hostname of the
server against the certificate. This means that any valid certificate for any CA in the default
trust store will be accepted without error.
> SocketClient should be modified to store the hostname, and SMTPSClient/FTPSClient/IMAPSClient/POP3SClient
should use it when negotiating SSL/TLS.
> Java 1.7 has support for verifying the hostname if SSLParameters.setEndpointIdentificationAlgorithm("HTTPS")
is used.

This message was sent by Atlassian JIRA

View raw message