[jira] [Commented] (NET-579) SSL/TLS SocketClients do not verify the hostname against the certificate

Sat, 22 Aug 2015 07:22:02 -0700 

    [ 
https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14708046#comment-14708046
 ] 

Bogdan Drozdowski commented on NET-579:
---------------------------------------

The patch looks nice, but you can already achieve this functionality - you can 
always set  your own TrustManager in the client instance, e.g. 
FTPSClient.setTrustManager(), or use a custom SocketFactory.
This wouldn't require Java 7 by Commons-NET, would allow to set even more 
parameters than these and enable any certificate validations you would wish. 
Sure, it's less convenient, because you have to code more on the client side.
I'm not a Commons-NET developer, but I don't think I'd like such a change in 
the code. The problem is that a certificate can be issued to a host name and 
thus connecting using an IP address would fail or vice versa (a test 
certificate issued for an IP address inside some local network, and clients 
connecting with hostnames by a local DNS).

> SSL/TLS SocketClients do not verify the hostname against the certificate
> ------------------------------------------------------------------------
>
>                 Key: NET-579
>                 URL: https://issues.apache.org/jira/browse/NET-579
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP, IMAP, POP3, SMTP
>    Affects Versions: 3.3
>         Environment: Java 1.7 (earlier versions cannot verify the hostname)
>            Reporter: Simon Arlott
>            Priority: Critical
>              Labels: security
>         Attachments: NET-579.patch
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the 
> hostname of the server against the certificate. This means that any valid 
> certificate for any CA in the default trust store will be accepted without 
> error.
> SocketClient should be modified to store the hostname, and 
> SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating 
> SSL/TLS.
> Java 1.7 has support for verifying the hostname if 
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to