[
https://issues.apache.org/jira/browse/AXIS-2793?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gil Messerman updated AXIS-2793:
--------------------------------
Environment: Web service client using Axis 1.4 on Sun JDK 1.6 (was: Web
service client using 1.5 on Sun JDK 1.6)
> Axis web service client does not validate server's domain name in server's
> certificate when calling web service over SSL
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS-2793
> URL: https://issues.apache.org/jira/browse/AXIS-2793
> Project: Axis
> Issue Type: Bug
> Components: Basic Architecture
> Affects Versions: 1.4
> Environment: Web service client using Axis 1.4 on Sun JDK 1.6
> Reporter: Gil Messerman
>
> Axis 1.4 web service client does not validate server's domain name when
> connecting to web service over SSL. The validations that are performed are
> whether the certificate is valid, not expired and trusted, but not whether
> the issued domain matches the server name in the URL. The easiest way to
> reproduce the problem is to call web service over SSL (with valid
> certificate) using IP address instead of the domain name that appears in the
> certificate.
> It seems that the problem is due to missing TrustManager in
> SecureSocketFactory. The implementation of SocketFactory does not create
> TrustManager unless client authentication is set to true. This might be
> correct when the Axis is used as web service server (if client authentication
> is not required, the server does not create trust manager for client's
> validation) but creates a security problem when Axis is used as client and
> always should validate the server's certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
