[NET-579] SSL/TLS SocketClients do not verify the hostname against the certificate - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.3
Fix Version/s: 3.4
Component/s: FTP, IMAP, POP3, SMTP
Labels:
- security
Environment:

Java 1.7 (earlier versions cannot verify the hostname)

Flags:

Patch

Description

Every subclass of SocketClient that does SSL/TLS will never verify the hostname of the server against the certificate. This means that any valid certificate for any CA in the default trust store will be accepted without error.

SocketClient should be modified to store the hostname, and SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating SSL/TLS.

Java 1.7 has support for verifying the hostname if SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

NET-579_2.patch
23/Aug/15 22:35
24 kB
Simon Arlott
NET-579.patch
22/Aug/15 09:24
7 kB
Simon Arlott

Activity

People

Assignee:: Unassigned

Reporter:: Simon Arlott

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 22/Aug/15 09:14

Updated:: 26/Nov/15 16:37

Resolved:: 24/Aug/15 00:25

Time Tracking

Estimated:

Remaining:

Logged:

Not Specified