Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.4
-
None
-
None
-
Web service client using Axis 1.4 on Sun JDK 1.6
Description
Axis 1.4 web service client does not validate server's domain name when connecting to web service over SSL. The validations that are performed are whether the certificate is valid, not expired and trusted, but not whether the issued domain matches the server name in the URL. The easiest way to reproduce the problem is to call web service over SSL (with valid certificate) using IP address instead of the domain name that appears in the certificate.
It seems that the problem is due to missing TrustManager in SecureSocketFactory. The implementation of SocketFactory does not create TrustManager unless client authentication is set to true. This might be correct when the Axis is used as web service server (if client authentication is not required, the server does not create trust manager for client's validation) but creates a security problem when Axis is used as client and always should validate the server's certificate.