commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carl Erberg <carlerb...@googlemail.com>
Subject [email] TLS not verified properly (security issue)
Date Wed, 09 Oct 2013 10:26:23 GMT
Hi,

in the user guide to commons email
http://commons.apache.org/proper/commons-email/userguide.html

I found the rather surprising statement:
"When using a secured transport (STARTTLS or SSL) you can force validating
the server's certificate by calling Email.setSSLCheckServerIdentity(true).
Having said that this does not seem to work on any of my test servers
(GMAIL, GMX)."

I can confirm that my code also does not complain when I test it against a
server with a self signed certificate. setSSLCeckServerIdentity not working
means that commons email is vulnerable to MiTM attacks.

Is there a fix for this? Am I doing something wrong? Some misunderstanding?
Any workaround? Is the user guide wrong?

[ I would not discuss such a security issue on a public mailing list, if it
wasn't already disclosed in the user guide ]

Thanks

Carl

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message