commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Siegfried Goeschl <sgoes...@gmx.at>
Subject Re: [email] TLS not verified properly (security issue)
Date Fri, 11 Oct 2013 17:20:01 GMT
Hi Thomas,

I check with my test case and update the documentation accordingly

Thanks,

Siegfried Goeschl

On 09.10.13 22:42, Thomas Neidhart wrote:
> On 10/09/2013 12:26 PM, Carl Erberg wrote:
>> Hi,
>>
>> in the user guide to commons email
>> http://commons.apache.org/proper/commons-email/userguide.html
>>
>> I found the rather surprising statement:
>> "When using a secured transport (STARTTLS or SSL) you can force validating
>> the server's certificate by calling Email.setSSLCheckServerIdentity(true).
>> Having said that this does not seem to work on any of my test servers
>> (GMAIL, GMX)."
>>
>> I can confirm that my code also does not complain when I test it against a
>> server with a self signed certificate. setSSLCeckServerIdentity not working
>> means that commons email is vulnerable to MiTM attacks.
>>
>> Is there a fix for this? Am I doing something wrong? Some misunderstanding?
>> Any workaround? Is the user guide wrong?
>>
>> [ I would not discuss such a security issue on a public mailing list, if it
>> wasn't already disclosed in the user guide ]
>
> Hi Carl,
>
> I have tested sending emails to GMAIL and a local postfix installation
> with a self-signed certificate.
>
> For the purpose of debugging the ssl handshake, I enabled the following
> debug switch: System.setProperty("javax.net.debug", "all");
>
> Results:
>
>   * GMAIL: SSL and TLS work fine, the gmail server certificate is
>            reported as trusted:
>
> Found trusted certificate:
> [
> [
>    Version: V3
>    Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
>    Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
> ....
>
>
>   * LOCAL:
>     - without adding my local certificate to my trustStore, I get the
>       following exception:
>
>      Caused by: sun.security.validator.ValidatorException: PKIX path
> building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>          at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
>          at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
>          at sun.security.validator.Validator.validate(Validator.java:203)
>          at
> com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
>          at
> com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
>          at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
>          ... 45 more
>      Caused by:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>          at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
>          at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
>          at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
>          ... 50 more
>
>     - after adding the certificate to my trustStore, I can successfully
>       connect to the server and send emails
>
> So it seems to work fine for me. The problem stated in the userguide may
> relate to a time where the root CA (Equifax Secure Certificate
> Authority) of the gmail certificate was not yet in the default
> trustStore (it is now btw).
>
> Best regards,
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org


Mime
View raw message