[ 
https://issues.apache.org/jira/browse/ARTEMIS-3070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17267401#comment-17267401
 ] 

Justin Bertram commented on ARTEMIS-3070:
-----------------------------------------

This isn't a problem for 2 reasons:

# The custom trust manager is _explicitly_ written to allow all certificates to 
pass the verification. That's why the method containing this code is called 
{{createTrustAllTrustManager}}. This method is only called if the client has 
specifically set {{trustAll}} to {{true}} in 
{{org.apache.activemq.transport.netty.NettyTransportSslOptions}}.
# This code comes from an AMQP *test* client that is not actually shipped with 
ActiveMQ Artemis. It is only used for AMQP tests in the internal test-suite. 

The bug report is not helpful because it's focused too narrowly on the 
{{javax.net.ssl.TrustManager}} implementation and doesn't take into account the 
larger context of how and why it was written.

> Customized TrustManager bypasses certificate verification
> ---------------------------------------------------------
>
>                 Key: ARTEMIS-3070
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3070
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>            Reporter: Ya Xiao
>            Priority: Major
>
> In file 
> [activemq-artemis/tests/artemis-test-support/src/main/java/org/apache/activemq/transport/netty/NettyTransportSupport.java|https://github.com/apache/activemq-artemis/blob/52263663c48082227916cc3477f8892d9f10134b/tests/artemis-test-support/src/main/java/org/apache/activemq/transport/netty/NettyTransportSupport.java],
>  the customized TrustManger allows all certificates to pass the verification 
> (at Line 288).
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to 
> implement the certificate validation logic. Bypassing it could allow 
> man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic 
> instead of allowing all certificates. 
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to