[jira] [Commented] (NUTCH-2786) TrustManager methods do not have certificate validation logic

Mon, 04 May 2020 13:05:20 -0700 


    [ 
https://issues.apache.org/jira/browse/NUTCH-2786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17099312#comment-17099312
 ] 

Sebastian Nagel commented on NUTCH-2786:
----------------------------------------

Thanks, [~mahir.kabir]! It's obvious that ignoring certificates isn't secure. 
Since NUTCH-2648 users can disable whether to check certificates using the 
property 
"[http.tls.certificates.check|https://builds.apache.org/job/nutch-trunk/javadoc/resources/nutch-default.xml#http.tls.certificates.check]";.
 Without the possibility to disable certificate checks it's impossible to crawl 
sites with expired or otherwise invalid certificates. Before NUTCH-2648 
certificates always are left unchecked. But, yes, it maybe a good idea to 
enable the checks by default. Comments are welcome!

> TrustManager methods do not have certificate validation logic
> -------------------------------------------------------------
>
>                 Key: NUTCH-2786
>                 URL: https://issues.apache.org/jira/browse/NUTCH-2786
>             Project: Nutch
>          Issue Type: Improvement
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>
> * *Vulnerability Description:* In 
> “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java”
>  overridden TrustManager methods (i.e. checkClientTrusted and 
> checkServerTrusted) do not have validation logic for certificates.
>  * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager 
> implements X509TrustManager and it overrides the standard TrustManager 
> methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but 
> returning hard-coded *true*. Certificate validation is expected to be handled 
> by these methods. Doing nothing means no verification.
>  * *Suggested Fix:* Adding necessary certificate verification logic in the 
> overridden methods.
>  * *Feedback:* Please select any of the options down below to help us get an 
> idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to