[
https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14708090#comment-14708090
]
Simon Arlott commented on NET-579:
----------------------------------
The connection is supposed to fail when it's not secure, and there is no
TrustManager that checks the hostname. There's also no API in commons-net to
replace the SSLSocketFactory that is used. Even with a custom
TrustManager/SSLSocketFactory you still don't have access to the hostname
because the code in commons-net discards it.
> SSL/TLS SocketClients do not verify the hostname against the certificate
> ------------------------------------------------------------------------
>
> Key: NET-579
> URL: https://issues.apache.org/jira/browse/NET-579
> Project: Commons Net
> Issue Type: Bug
> Components: FTP, IMAP, POP3, SMTP
> Affects Versions: 3.3
> Environment: Java 1.7 (earlier versions cannot verify the hostname)
> Reporter: Simon Arlott
> Priority: Critical
> Labels: security
> Attachments: NET-579.patch
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the
> hostname of the server against the certificate. This means that any valid
> certificate for any CA in the default trust store will be accepted without
> error.
> SocketClient should be modified to store the hostname, and
> SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating
> SSL/TLS.
> Java 1.7 has support for verifying the hostname if
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
