Axis web service client does not validate server's domain name in server's
certificate when calling web service over SSL
------------------------------------------------------------------------------------------------------------------------
Key: AXIS-2793
URL: https://issues.apache.org/jira/browse/AXIS-2793
Project: Axis
Issue Type: Bug
Components: Basic Architecture
Affects Versions: 1.4
Environment: Web service client using 1.5 on Sun JDK 1.6
Reporter: Gil Messerman
Axis 1.4 web service client does not validate server's domain name when
connecting to web service over SSL. The validations that are performed are
whether the certificate is valid, not expired and trusted, but not whether the
issued domain matches the server name in the URL. The easiest way to reproduce
the problem is to call web service over SSL (with valid certificate) using IP
address instead of the domain name that appears in the certificate.
It seems that the problem is due to missing TrustManager in
SecureSocketFactory. The implementation of SocketFactory does not create
TrustManager unless client authentication is set to true. This might be correct
when the Axis is used as web service server (if client authentication is not
required, the server does not create trust manager for client's validation) but
creates a security problem when Axis is used as client and always should
validate the server's certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
