[
https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14708548#comment-14708548
]
Simon Arlott commented on NET-579:
----------------------------------
The hostname has to be retained (there's no API change required for that).
For Java 1.7+, there needs to be a way to call
setEndpointIdentificationAlgorithm("HTTPS") on the SSLParameters for the
SSLSocket, before negotiating TLS.
For everything else (i.e. Android), there needs to a post-TLS verification
check using the SSLSession (which can be obtained from the SSLSocket) and the
hostname. This could either be a protected method that has to be overridden or
a callback interface that takes a hostname and SSLSocket/SSLSession and returns
a boolean verification result.
> SSL/TLS SocketClients do not verify the hostname against the certificate
> ------------------------------------------------------------------------
>
> Key: NET-579
> URL: https://issues.apache.org/jira/browse/NET-579
> Project: Commons Net
> Issue Type: Bug
> Components: FTP, IMAP, POP3, SMTP
> Affects Versions: 3.3
> Environment: Java 1.7 (earlier versions cannot verify the hostname)
> Reporter: Simon Arlott
> Priority: Critical
> Labels: security
> Attachments: NET-579.patch
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the
> hostname of the server against the certificate. This means that any valid
> certificate for any CA in the default trust store will be accepted without
> error.
> SocketClient should be modified to store the hostname, and
> SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating
> SSL/TLS.
> Java 1.7 has support for verifying the hostname if
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
