commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carl Erberg <>
Subject [email] TLS not verified properly (security issue)
Date Wed, 09 Oct 2013 10:26:23 GMT

in the user guide to commons email

I found the rather surprising statement:
"When using a secured transport (STARTTLS or SSL) you can force validating
the server's certificate by calling Email.setSSLCheckServerIdentity(true).
Having said that this does not seem to work on any of my test servers

I can confirm that my code also does not complain when I test it against a
server with a self signed certificate. setSSLCeckServerIdentity not working
means that commons email is vulnerable to MiTM attacks.

Is there a fix for this? Am I doing something wrong? Some misunderstanding?
Any workaround? Is the user guide wrong?

[ I would not discuss such a security issue on a public mailing list, if it
wasn't already disclosed in the user guide ]



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message