commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thomas Neidhart <thomas.neidh...@gmail.com>
Subject Re: [email] TLS not verified properly (security issue)
Date Wed, 09 Oct 2013 20:42:15 GMT
On 10/09/2013 12:26 PM, Carl Erberg wrote:
> Hi,
> 
> in the user guide to commons email
> http://commons.apache.org/proper/commons-email/userguide.html
> 
> I found the rather surprising statement:
> "When using a secured transport (STARTTLS or SSL) you can force validating
> the server's certificate by calling Email.setSSLCheckServerIdentity(true).
> Having said that this does not seem to work on any of my test servers
> (GMAIL, GMX)."
> 
> I can confirm that my code also does not complain when I test it against a
> server with a self signed certificate. setSSLCeckServerIdentity not working
> means that commons email is vulnerable to MiTM attacks.
> 
> Is there a fix for this? Am I doing something wrong? Some misunderstanding?
> Any workaround? Is the user guide wrong?
> 
> [ I would not discuss such a security issue on a public mailing list, if it
> wasn't already disclosed in the user guide ]

Hi Carl,

I have tested sending emails to GMAIL and a local postfix installation
with a self-signed certificate.

For the purpose of debugging the ssl handshake, I enabled the following
debug switch: System.setProperty("javax.net.debug", "all");

Results:

 * GMAIL: SSL and TLS work fine, the gmail server certificate is
          reported as trusted:

Found trusted certificate:
[
[
  Version: V3
  Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
....


 * LOCAL:
   - without adding my local certificate to my trustStore, I get the
     following exception:

    Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
        at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
        at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
        at sun.security.validator.Validator.validate(Validator.java:203)
        at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
        at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
        at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
        ... 45 more
    Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
        at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
        at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
        at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
        ... 50 more

   - after adding the certificate to my trustStore, I can successfully
     connect to the server and send emails

So it seems to work fine for me. The problem stated in the userguide may
relate to a time where the root CA (Equifax Secure Certificate
Authority) of the gmail certificate was not yet in the default
trustStore (it is now btw).

Best regards,

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message