Simon Arlott created NET-579:
--------------------------------
Summary: SSL/TLS SocketClients do not verify the hostname against
the certificate
Key: NET-579
URL: https://issues.apache.org/jira/browse/NET-579
Project: Commons Net
Issue Type: Bug
Components: FTP, IMAP, POP3, SMTP
Affects Versions: 3.3
Environment: Java 1.7 (earlier versions cannot verify the hostname)
Reporter: Simon Arlott
Priority: Critical
Every subclass of SocketClient that does SSL/TLS will never verify the hostname
of the server against the certificate. This means that any valid certificate
for any CA in the default trust store will be accepted without error.
SocketClient should be modified to store the hostname, and
SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating
SSL/TLS.
Java 1.7 has support for verifying the hostname if
SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
