[jira] [Updated] (QPID-8499) [Broker-J] Customized TrustManager bypasses certificate verification

Sun, 17 Jan 2021 13:02:19 -0800 


     [ 
https://issues.apache.org/jira/browse/QPID-8499?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alex Rudyy updated QPID-8499:
-----------------------------
    Summary: [Broker-J] Customized TrustManager bypasses certificate 
verification  (was: Customized TrustManager bypasses certificate verification)

> [Broker-J] Customized TrustManager bypasses certificate verification
> --------------------------------------------------------------------
>
>                 Key: QPID-8499
>                 URL: https://issues.apache.org/jira/browse/QPID-8499
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>            Reporter: Ya Xiao
>            Priority: Major
>
> We found a security vulnerability in file 
> [qpid-broker-j/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java|https://github.com/apache/qpid-broker-j/blob/a70ed6f5edbcf0e8690447d48a1fe64e599cb703/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java].
>  The customized TrustManger (at Line 339) allows all certificates to pass the 
> verification.
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to 
> implement the certificate validation logic. Bypassing it could allow 
> man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> [https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic 
> instead of allowing all certificates. See 
> [here|https://developer.android.com/training/articles/security-ssl] to 
> securely allow self-signed certificates and other common cases.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to