[
https://issues.apache.org/jira/browse/SLING-10965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oliver Lietz updated SLING-10965:
---------------------------------
Description:
This new feature adds support for enabling server identity checks and these
checks are enabled by default.
A security issue ("SMTPS server hostname not checked when making TLS connection
to SMTPS server") was reported by Michael Lescisin and accepted by the project.
The issue is tracked as CVE-2021-44549.
The checks are still not enabled by default in the underlying Jakarta Mail, see
[Hostname validation for certificates should be enabled by
default|https://github.com/eclipse-ee4j/mail/issues/429].
The {{SimpleMailService}} in Apache Sling Commons Messaging Mail 1.0 lacks an
option to enable these checks for the shared mail session.
A user could enable these checks nevertheless by accessing the session via the
message created by {{SimpleMessageBuilder}} and setting the property
{{mail.smtps.ssl.checkserveridentity}} to {{true}}:
{noformat}
MimeMessage message = mailService.getMessageBuilder().build();
message.getSession().getProperties().setProperty("mail.smtps.ssl.checkserveridentity",
"true");
{noformat}
See also [SSLNOTES|https://eclipse-ee4j.github.io/mail/docs/SSLNOTES.txt]:
??Server Identity Check RFC 2595 specifies addition checks that must be
performed on the server's certificate to ensure that the server you connected
to is the server you intended to connect to. This reduces the risk of "man in
the middle" attacks. For compatibility with earlier releases of Jakarta Mail,
these additional checks are disabled by default. We strongly recommend that you
enable these checks when using SSL. To enable these checks, set the
"mail.<protocol>.ssl.checkserveridentity" property to "true".??
was:
??Server Identity Check RFC 2595 specifies addition checks that must be
performed on the server's certificate to ensure that the server you connected
to is the server you intended to connect to. This reduces the risk of "man in
the middle" attacks. For compatibility with earlier releases of Jakarta Mail,
these additional checks are disabled by default. We strongly recommend that you
enable these checks when using SSL. To enable these checks, set the
"mail.<protocol>.ssl.checkserveridentity" property to "true".??
[https://eclipse-ee4j.github.io/mail/docs/SSLNOTES.txt]
> Support server identity check
> -----------------------------
>
> Key: SLING-10965
> URL: https://issues.apache.org/jira/browse/SLING-10965
> Project: Sling
> Issue Type: New Feature
> Components: Commons
> Reporter: Oliver Lietz
> Assignee: Oliver Lietz
> Priority: Critical
> Fix For: Commons Messaging Mail 2.0.0
>
>
> This new feature adds support for enabling server identity checks and these
> checks are enabled by default.
> A security issue ("SMTPS server hostname not checked when making TLS
> connection to SMTPS server") was reported by Michael Lescisin and accepted by
> the project. The issue is tracked as CVE-2021-44549.
> The checks are still not enabled by default in the underlying Jakarta Mail,
> see [Hostname validation for certificates should be enabled by
> default|https://github.com/eclipse-ee4j/mail/issues/429].
> The {{SimpleMailService}} in Apache Sling Commons Messaging Mail 1.0 lacks an
> option to enable these checks for the shared mail session.
> A user could enable these checks nevertheless by accessing the session via
> the message created by {{SimpleMessageBuilder}} and setting the property
> {{mail.smtps.ssl.checkserveridentity}} to {{true}}:
> {noformat}
> MimeMessage message = mailService.getMessageBuilder().build();
>
> message.getSession().getProperties().setProperty("mail.smtps.ssl.checkserveridentity",
> "true");
> {noformat}
> See also [SSLNOTES|https://eclipse-ee4j.github.io/mail/docs/SSLNOTES.txt]:
> ??Server Identity Check RFC 2595 specifies addition checks that must be
> performed on the server's certificate to ensure that the server you connected
> to is the server you intended to connect to. This reduces the risk of "man in
> the middle" attacks. For compatibility with earlier releases of Jakarta Mail,
> these additional checks are disabled by default. We strongly recommend that
> you enable these checks when using SSL. To enable these checks, set the
> "mail.<protocol>.ssl.checkserveridentity" property to "true".??
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
