[jira] [Commented] (IGNITE-14004) Customized TrustManager bypasses certificate verification

Sat, 23 Jan 2021 17:22:09 -0800 


    [ 
https://issues.apache.org/jira/browse/IGNITE-14004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270792#comment-17270792
 ] 

Ya Xiao commented on IGNITE-14004:
----------------------------------

Yes, there are more secure ways to handle self-signed certificates. 

One approach is to add the self-signed certificate we want to trust to 
[KeyStore|https://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html].
 KeyStore specifies the trusted anchors of TrustManager. 
[Here|https://github.com/AthenaXiao/SecureTLSCodeExample/blob/master/TrustmanagerExamples/specifiedTM.java]
 is an example to allow a specific self-signed certificate to pass the 
validation. It ties a TrustManager to a specific KeyStore where the self-signed 
certificate is added. The checkServerTrusted method still works as the default 
to prevent attacks. 

 

 

> Customized TrustManager bypasses certificate verification
> ---------------------------------------------------------
>
>                 Key: IGNITE-14004
>                 URL: https://issues.apache.org/jira/browse/IGNITE-14004
>             Project: Ignite
>          Issue Type: Bug
>          Components: clients, control.sh, security
>            Reporter: Ya Xiao
>            Priority: Critical
>              Labels: security
>
> We found a security vulnerability in file 
> [ignite/modules/core/src/main/java/org/apache/ignite/internal/client/ssl/GridSslBasicContextFactory.java|https://github.com/apache/ignite/blob/be3072ff278a2542e41d008b5379473867df3814/modules/core/src/main/java/org/apache/ignite/internal/client/ssl/GridSslBasicContextFactory.java].
>  The customized TrustManger (at Line 502) allows all certificates to pass the 
> verification.
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to 
> implement the certificate validation logic. Bypassing it could allow 
> man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> [https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic 
> instead of allowing all certificates. See 
> [here|https://developer.android.com/training/articles/security-ssl] to 
> securely allow self-signed certificates and other common cases.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to