Uploaded image for project: 'Commons Net'
  1. Commons Net
  2. NET-579

SSL/TLS SocketClients do not verify the hostname against the certificate

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.3
    • Fix Version/s: 3.4
    • Component/s: FTP, IMAP, POP3, SMTP
    • Labels:
    • Environment:

      Java 1.7 (earlier versions cannot verify the hostname)

    • Flags:
      Patch

      Description

      Every subclass of SocketClient that does SSL/TLS will never verify the hostname of the server against the certificate. This means that any valid certificate for any CA in the default trust store will be accepted without error.

      SocketClient should be modified to store the hostname, and SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating SSL/TLS.

      Java 1.7 has support for verifying the hostname if SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.

        Attachments

        1. NET-579.patch
          7 kB
          Simon Arlott
        2. NET-579_2.patch
          24 kB
          Simon Arlott

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              simonarlott Simon Arlott
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 2h
                2h
                Remaining:
                Remaining Estimate - 2h
                2h
                Logged:
                Time Spent - Not Specified
                Not Specified