[jira] [Commented] (QPID-8499) Customized TrustManager bypasses certificate verification

Sun, 17 Jan 2021 12:59:04 -0800 


    [ 
https://issues.apache.org/jira/browse/QPID-8499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17266921#comment-17266921
 ] 

Alex Rudyy commented on QPID-8499:
----------------------------------

Hi [~yaxiao],
Thanks for reporting this issue.
You absolutely right that SiteSpecificTrustStore is vulnerable to the 
man-in-the-middle attacks. However, the SiteSpecificTrustStore is not present 
in the default broker configuration. Thus, the default broker configuration is 
not  vulnerable. At the moment, it is possible to configure the 
SiteSpecificTrustStore via Broker REST API or Web Management Console or 
manually in the configuration file. However, I find it in-practical to use 
SiteSpecificTrustStore in production environment. The production systems should 
be using either FileTrustStore or NonJavaTrustStore types.

We will look into fixing the reported issue.

> Customized TrustManager bypasses certificate verification
> ---------------------------------------------------------
>
>                 Key: QPID-8499
>                 URL: https://issues.apache.org/jira/browse/QPID-8499
>             Project: Qpid
>          Issue Type: Improvement
>            Reporter: Ya Xiao
>            Priority: Major
>
> We found a security vulnerability in file 
> [qpid-broker-j/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java|https://github.com/apache/qpid-broker-j/blob/a70ed6f5edbcf0e8690447d48a1fe64e599cb703/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java].
>  The customized TrustManger (at Line 339) allows all certificates to pass the 
> verification.
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to 
> implement the certificate validation logic. Bypassing it could allow 
> man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> [https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic 
> instead of allowing all certificates. See 
> [here|https://developer.android.com/training/articles/security-ssl] to 
> securely allow self-signed certificates and other common cases.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to