Bug#692442: patch applied to commons-httpclient upstream
Hi The patch is applied upstream: http://svn.apache.org/viewvc?view=revisionrevision=1422573 http://svn.apache.org/repos/asf/httpcomponents/oac.hc3x/trunk Kind Regars Alberto __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi. Both patches attached at upstream JIRA and reopened HTTPCLIENT-1265. Waiting for response. Kind regards Alberto __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#687692: examples
Hi Tobias Here's a testcase. In sid it works fine, but if I use the jars provided in testing it fails. Important: the pdf file is protected , so it's necesary bouncycastle to decrpyt it. Normal pdf files don't fail because they don't need bouncycastle. Attached sample pdf and sample java that counts the pages of a pdf. Sid. It prints the expected output pages = 1 In Testing: throws this exception: Exception in thread main java.lang.NoClassDefFoundError: org/bouncycastle/asn1/ASN1ObjectIdentifier at com.lowagie.text.pdf.PdfEncryption.init(Unknown Source) at com.lowagie.text.pdf.PdfReader.readDecryptedDocObj(Unknown Source) at com.lowagie.text.pdf.PdfReader.readDocObj(Unknown Source) at com.lowagie.text.pdf.PdfReader.readPdf(Unknown Source) at com.lowagie.text.pdf.PdfReader.init(Unknown Source) at com.lowagie.text.pdf.PdfReader.init(Unknown Source) at Main.main(Main.java:17) Caused by: java.lang.ClassNotFoundException: org.bouncycastle.asn1.ASN1ObjectIdentifier at java.net.URLClassLoader$1.run(URLClassLoader.java:366) at java.net.URLClassLoader$1.run(URLClassLoader.java:355) at java.security.AccessController.doPrivileged(Native Method) at java.net.URLClassLoader.findClass(URLClassLoader.java:354) at java.lang.ClassLoader.loadClass(ClassLoader.java:423) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) at java.lang.ClassLoader.loadClass(ClassLoader.java:356) ... 7 more example2.pdf Description: Adobe PDF document import java.io.IOException; import com.lowagie.text.pdf.PdfReader; public class Main { /** * Test http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687692 * @throws IOException */ public static void main(String[] args) throws IOException { String fileName = example2.pdf; if (args != null args.length 0){ fileName = args[0]; } PdfReader reader = new PdfReader(fileName); System.out.println(pages = + reader.getNumberOfPages()); reader.close(); } } __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#687692: testcase bug 687692
Hie Tobias and Niels I've upload to the BTS a testcase for the bug. It's a protected pdf sample file and a simple java program that counts the number of pages of a PDF. It works fine in sid and fails in testing. Grettings Alberto __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi All, I've prepared the patch with the problem pointed by David fixed (thanks David). It also fixes a bug related to wildcard certificates. The first patch is backported from httpclient 4.0 and apache synapse. This second patch backports some fixes from httpclient 4.2 The patch differ a lot from 4.x line for two reasons: first, the code arquitecture changes, second , I want to mantain the 3.1 api unchanged, so all methods are private and only apply to one class. The patch for axis and commons-httpclient is the same. In the function they create a SSLSocket, I've put the same routine to validate the hostname against certificate valid names. I'll upload the new patches in their place. Please review them and when ready I can upload a new package to mentors. Thanks __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: new patch for commons-httpclient CVE-2012-5783 (full patch)
Description: Fixed CN extraction from DN of X500 principal and wildcard validation commons-httpclient (3.1-10.2) unstable; urgency=low * Fixed CN extraction from DN of X500 principal and wildcard validation Author: Alberto Fernández MartÃnez inf...@gmail.com Origin: other Bug-Debian: http://bugs.debian.org/692442 Forwarded: https://issues.apache.org/jira/browse/HTTPCLIENT-1265 Last-Update: 2012-12-06 --- commons-httpclient-3.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -31,10 +31,25 @@ package org.apache.commons.httpclient.protocol; import java.io.IOException; +import java.io.InputStream; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.regex.Pattern; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import org.apache.commons.httpclient.ConnectTimeoutException; @@ -55,6 +70,11 @@ public class SSLProtocolSocketFactory im */ private static final SSLProtocolSocketFactory factory = new SSLProtocolSocketFactory(); +// This is a a sorted list, if you insert new elements do it orderdered. +private final static String[] BAD_COUNTRY_2LDS = +{ac, co, com, ed, edu, go, gouv, gov, info, +lg, ne, net, or, org}; + /** * Gets an singleton instance of the SSLProtocolSocketFactory. * @return a SSLProtocolSocketFactory @@ -79,12 +99,14 @@ public class SSLProtocolSocketFactory im InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { -return SSLSocketFactory.getDefault().createSocket( +Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port, clientHost, clientPort ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } /** @@ -124,16 +146,19 @@ public class SSLProtocolSocketFactory im } int timeout = params.getConnectionTimeout(); if (timeout == 0) { -return createSocket(host, port, localAddress, localPort); +Socket sslSocket = createSocket(host, port, localAddress, localPort); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } else { // To be eventually deprecated when migrated to Java 1.4 or above -Socket socket = ReflectionSocketFactory.createSocket( +Socket sslSocket = ReflectionSocketFactory.createSocket( javax.net.ssl.SSLSocketFactory, host, port, localAddress, localPort, timeout); -if (socket == null) { -socket = ControllerThreadSocketFactory.createSocket( +if (sslSocket == null) { + sslSocket = ControllerThreadSocketFactory.createSocket( this, host, port, localAddress, localPort, timeout); } -return socket; +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } } @@ -142,10 +167,12 @@ public class SSLProtocolSocketFactory im */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { -return SSLSocketFactory.getDefault().createSocket( +Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } /** @@ -157,13 +184,271 @@ public class SSLProtocolSocketFactory im int port, boolean autoClose) throws IOException, UnknownHostException { -return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( +Socket sslSocket = ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( socket, host, port, autoClose ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } + + + + +/** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */ + + private static void verifyHostName(String host, SSLSocket ssl) + throws IOException { + if (host == null) { + throw new
Bug#692650: patch for axis CVE-2012-5784 (full patch)
Description: Fixed CN extraction from DN of X500 principal and wildcard validation axis (1.4-16.2) unstable; urgency=low * Fixed CN extraction from DN of X500 principal and wildcard validation Author: Alberto Fernández MartÃnez inf...@gmail.com Origin: other Bug-Debian: http://bugs.debian.org/692650 Forwarded: https://issues.apache.org/jira/browse/AXIS-2883 Last-Update: 2012-12-06 --- axis-1.4.orig/src/org/apache/axis/components/net/JSSESocketFactory.java +++ axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java @@ -15,12 +15,6 @@ */ package org.apache.axis.components.net; -import org.apache.axis.utils.Messages; -import org.apache.axis.utils.XMLUtils; -import org.apache.axis.utils.StringUtils; - -import javax.net.ssl.SSLSocket; -import javax.net.ssl.SSLSocketFactory; import java.io.BufferedWriter; import java.io.IOException; import java.io.InputStream; @@ -28,7 +22,27 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.net.Socket; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; import java.util.Hashtable; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; +import java.util.Locale; +import java.util.StringTokenizer; +import java.util.regex.Pattern; + +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; +import javax.net.ssl.SSLSocketFactory; + +import org.apache.axis.utils.Messages; +import org.apache.axis.utils.StringUtils; +import org.apache.axis.utils.XMLUtils; /** @@ -41,6 +55,10 @@ import java.util.Hashtable; */ public class JSSESocketFactory extends DefaultSocketFactory implements SecureSocketFactory { +// This is a a sorted list, if you insert new elements do it orderdered. +private final static String[] BAD_COUNTRY_2LDS = +{ac, co, com, ed, edu, go, gouv, gov, info, +lg, ne, net, or, org}; /** Field sslFactory */ protected SSLSocketFactory sslFactory = null; @@ -187,6 +205,260 @@ public class JSSESocketFactory extends D if (log.isDebugEnabled()) { log.debug(Messages.getMessage(createdSSL00)); } +verifyHostName(host, (SSLSocket) sslSocket); return sslSocket; } +/** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */ + + private static void verifyHostName(String host, SSLSocket ssl) + throws IOException { + if (host == null) { + throw new IllegalArgumentException(host to verify was null); + } + + SSLSession session = ssl.getSession(); + if (session == null) { +// In our experience this only happens under IBM 1.4.x when +// spurious (unrelated) certificates show up in the server's chain. +// Hopefully this will unearth the real problem: + InputStream in = ssl.getInputStream(); + in.available(); +/* + If you're looking at the 2 lines of code above because you're + running into a problem, you probably have two options: + +#1. Clean up the certificate chain that your server + is presenting (e.g. edit /etc/apache2/server.crt or + wherever it is your server's certificate chain is + defined). + + OR + +#2. Upgrade to an IBM 1.5.x or greater JVM, or switch to a + non-IBM JVM. + */ + +// If ssl.getInputStream().available() didn't cause an exception, +// maybe at least now the session is available? + session = ssl.getSession(); + if (session == null) { +// If it's still null, probably a startHandshake() will +// unearth the real problem. +ssl.startHandshake(); + +// Okay, if we still haven't managed to cause an exception, +// might as well go for the NPE. Or maybe we're okay now? +session = ssl.getSession(); + } + } + + Certificate[] certs = session.getPeerCertificates(); + verifyHostName(host.trim().toLowerCase(Locale.US), (X509Certificate) certs[0]); + } + /** + * Extract the names from the certificate and tests host matches one of them + * @param host + * @param cert + * @throws SSLException + */ + + private static void verifyHostName(final String host, X509Certificate cert) + throws SSLException { +// I'm okay with being case-insensitive when comparing the host we used +// to establish the socket to the hostname in the certificate. +// Don't trim the CN, though. + +
Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784
Hi I've uploaded new packages to mentors. I'll be out until Monday, so feel free to review the patches and sponsor the new version if all you are confident it's all ok I think now it's fine , but if you find some other bug or improvement, I'll be happy to correct it. I'll insist next week upstream to include the last fix. El jue, 06-12-2012 a las 13:58 +0100, Andreas Tille escribió: Hi Alberto, thanks for your continuous work on this. As I said in my previous mail please remember to reopen the according bugs to make sure the previous solution will not migrate to testing. I'll volunteer to sponsor your new version if you confirm that this is needed to finally fix the issue. Kind regards Andreas. On Thu, Dec 06, 2012 at 01:49:07PM +0100, Alberto Fernández wrote: Hi All, I've prepared the patch with the problem pointed by David fixed (thanks David). It also fixes a bug related to wildcard certificates. The first patch is backported from httpclient 4.0 and apache synapse. This second patch backports some fixes from httpclient 4.2 The patch differ a lot from 4.x line for two reasons: first, the code arquitecture changes, second , I want to mantain the 3.1 api unchanged, so all methods are private and only apply to one class. The patch for axis and commons-httpclient is the same. In the function they create a SSLSocket, I've put the same routine to validate the hostname against certificate valid names. I'll upload the new patches in their place. Please review them and when ready I can upload a new package to mentors. Thanks __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784
Hi I've reopened the two bugs. The first patch was incomplete, as pointed by David and by other bug i've found reviewing the code. The bug pointed by David can occur in some rare cases where the CA issues malformed certificates. It's rare, but there are may CA... The other bug it's about wildcard certificate validation. The first patch incorrect validates some cases. They're also rare cases of certificates of type *.xxx.com. Both are very rare cases, but I think they must be fixed before release. In outline, hosts name correctly validated: original - 0% (no validation at all) first patch - ¿99%? Never fails with valid certificates, block majority of invalid request. allow few rare cases which should be blocked second patch - 100%. I hope. Thanks for your patience __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692650: Patches for CVE-2012-5783 and CVE-2012-5784
Hi, I've uploaded the two packages to mentors.debian.net. We must solve the two bugs at the same time because axis uses commons-httpclient. Upstream seems End-of-life and rejected the patches. El mié, 05-12-2012 a las 16:43 +0100, Andreas Tille escribió: Hi, seems the package is ready for an upload. Any reason why this is not done? I could sponsor an upload or NMU if this would help. Kind regards Andreas. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi Andreas I've uploaded both packages to mentors. commons-httpclient - bug #692442 CVE-2012-5783 axis - bug #692650 CVE-2012-5784 Since axis uses commons-httpclient, we need fix and upload both packages. Upstream has ignored axis patch, and rejected commons-httpclient patch. Basically, they say commons-httpclient is EOL and they don't want to spend time on it. They maybe would apply the patch to the SVN, but without revision and without releasing. I've tested the patches and they work ok. So I think it's fine to upload. Kind regards Alberto El mié, 05-12-2012 a las 21:51 +0100, Andreas Tille escribió: Hi Alberto, On Wed, Dec 05, 2012 at 06:01:51PM +0100, Alberto Fernández wrote: I've uploaded the two packages to mentors.debian.net. We must solve the two bugs at the same time because axis uses commons-httpclient. I guess you mean bug #692442, right? Upstream seems End-of-life and rejected the patches. Did upstream actively *rejected* the patch because of technical flaws or did they just ignored it because of the end-of-life status. There is no real need to have a patch accepted upstream if we as Debian maintainers agree that the patch is technically solving the reported problem. We actually do *not* want new upstream versions. So as far as I see we currently have the following situation: A package for axis that solves #692650 is waiting on mentors for sponsering. I'd volunteer to do this. Did you uploaded commons-httpclient fixing #692442 to mentors as well? If not I could also apply the patch in BTS and upload both to unstable. Just tell me if there is any reason to not upload these both packages? Kind regards and thanks for providing the patches Andreas. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
Hi Mike, I don't understand what you expect from me. I've uploaded the patches to the BTS, I don't know what next steep is. I suppose a maintainer would pick it from there. If there's something I can do let me know. Thanks, Alberto El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió: I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Would you mind getting your patches for these issues reviewed and applied by the appropriate upstreams? Thanks, Mike __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: Patches for CVE-2012-5783 and CVE-2012-5784
El jue, 22-11-2012 a las 04:00 -0500, Michael Gilbert escribió: I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Would you mind getting your patches for these issues reviewed and applied by the appropriate upstreams? Thanks, Mike Hi Mike I've read your tip again. Sorry for not understanding in the first time. I'll prepare the patch again upstream, and post it on their BTS. __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: patch upstream
Here is the patch posted to upstream: https://issues.apache.org/jira/browse/HTTPCLIENT-1265 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692650: patch
patch posted upstream: https://issues.apache.org/jira/browse/AXIS-2883 __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#692442: patch
Hi I've backported the routine to validate certificate name, and I've made a patch (attached). I'm not sure it's a good idea apply the patch, it can break programs that connect with bad hostnames (ips, host in /etc/hostname, etc) Description: Validates the hostname requested is the same in the certificate in ssl-connections Fixes CVE-2012-5783, validates hostname certificate in SSL connections. Backported from http-client 4, and from Apache Synapse (plus some bugfixes). Author: Alberto Fernandez inf...@gmail.com Bug-Debian: http://bugs.debian.org/692442 Forwarded: no --- commons-httpclient-3.1.orig/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java +++ commons-httpclient-3.1/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java @@ -31,11 +31,23 @@ package org.apache.commons.httpclient.protocol; import java.io.IOException; +import java.io.InputStream; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; import org.apache.commons.httpclient.ConnectTimeoutException; import org.apache.commons.httpclient.params.HttpConnectionParams; @@ -55,6 +67,11 @@ public class SSLProtocolSocketFactory im */ private static final SSLProtocolSocketFactory factory = new SSLProtocolSocketFactory(); +// This is a a sorted list, if you insert new elements do it orderdered. +private final static String[] BAD_COUNTRY_2LDS = +{ac, co, com, ed, edu, go, gouv, gov, info, +lg, ne, net, or, org}; + /** * Gets an singleton instance of the SSLProtocolSocketFactory. * @return a SSLProtocolSocketFactory @@ -79,12 +96,14 @@ public class SSLProtocolSocketFactory im InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { -return SSLSocketFactory.getDefault().createSocket( +Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port, clientHost, clientPort ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } /** @@ -124,16 +143,19 @@ public class SSLProtocolSocketFactory im } int timeout = params.getConnectionTimeout(); if (timeout == 0) { -return createSocket(host, port, localAddress, localPort); +Socket sslSocket = createSocket(host, port, localAddress, localPort); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } else { // To be eventually deprecated when migrated to Java 1.4 or above -Socket socket = ReflectionSocketFactory.createSocket( +Socket sslSocket = ReflectionSocketFactory.createSocket( javax.net.ssl.SSLSocketFactory, host, port, localAddress, localPort, timeout); -if (socket == null) { -socket = ControllerThreadSocketFactory.createSocket( +if (sslSocket == null) { + sslSocket = ControllerThreadSocketFactory.createSocket( this, host, port, localAddress, localPort, timeout); } -return socket; +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } } @@ -142,10 +164,12 @@ public class SSLProtocolSocketFactory im */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { -return SSLSocketFactory.getDefault().createSocket( +Socket sslSocket = SSLSocketFactory.getDefault().createSocket( host, port ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; } /** @@ -157,14 +181,267 @@ public class SSLProtocolSocketFactory im int port, boolean autoClose) throws IOException, UnknownHostException { -return ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( +Socket sslSocket = ((SSLSocketFactory) SSLSocketFactory.getDefault()).createSocket( socket, host, port, autoClose ); +verifyHostName(host, (SSLSocket) sslSocket); +return sslSocket; +} + + + + +/** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */
Bug#692650: patch
Hi I've made a patch (attached) It's basically the same patch i've submitted to commons-httpclient (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692442 ), This patch is tested in commons-httpclient but untested in axis (sorry) Description: Validates the hostname requested is the same in the certificate in ssl-connections Fixes CVE-2012-5784, validates hostname certificate in SSL connections. Backported from http-client 4, and from Apache Synapse (plus some bugfixes). Author: Alberto Fernandez inf...@gmail.com Bug-Debian: http://bugs.debian.org/692650 Forwarded: no --- axis-1.4.orig/src/org/apache/axis/components/net/JSSESocketFactory.java +++ axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java @@ -19,6 +19,8 @@ import org.apache.axis.utils.Messages; import org.apache.axis.utils.XMLUtils; import org.apache.axis.utils.StringUtils; +import javax.net.ssl.SSLException; +import javax.net.ssl.SSLSession; import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; import java.io.BufferedWriter; @@ -28,7 +30,15 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.PrintWriter; import java.net.Socket; +import java.security.cert.Certificate; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collection; import java.util.Hashtable; +import java.util.Iterator; +import java.util.LinkedList; +import java.util.List; /** @@ -41,6 +51,10 @@ import java.util.Hashtable; */ public class JSSESocketFactory extends DefaultSocketFactory implements SecureSocketFactory { +// This is a a sorted list, if you insert new elements do it orderdered. +private final static String[] BAD_COUNTRY_2LDS = +{ac, co, com, ed, edu, go, gouv, gov, info, +lg, ne, net, or, org}; /** Field sslFactory */ protected SSLSocketFactory sslFactory = null; @@ -187,6 +201,255 @@ public class JSSESocketFactory extends D if (log.isDebugEnabled()) { log.debug(Messages.getMessage(createdSSL00)); } +verifyHostName(host, (SSLSocket) sslSocket); return sslSocket; } +/** + * Verifies that the given hostname in certicifate is the hostname we are trying to connect to + * http://www.cvedetails.com/cve/CVE-2012-5783/ + * @param host + * @param ssl + * @throws IOException + */ + + private static void verifyHostName(String host, SSLSocket ssl) + throws IOException { + if (host == null) { + throw new IllegalArgumentException(host to verify was null); + } + + SSLSession session = ssl.getSession(); + if (session == null) { +// In our experience this only happens under IBM 1.4.x when +// spurious (unrelated) certificates show up in the server's chain. +// Hopefully this will unearth the real problem: + InputStream in = ssl.getInputStream(); + in.available(); +/* + If you're looking at the 2 lines of code above because you're + running into a problem, you probably have two options: + +#1. Clean up the certificate chain that your server + is presenting (e.g. edit /etc/apache2/server.crt or + wherever it is your server's certificate chain is + defined). + + OR + +#2. Upgrade to an IBM 1.5.x or greater JVM, or switch to a + non-IBM JVM. + */ + +// If ssl.getInputStream().available() didn't cause an exception, +// maybe at least now the session is available? + session = ssl.getSession(); + if (session == null) { +// If it's still null, probably a startHandshake() will +// unearth the real problem. +ssl.startHandshake(); + +// Okay, if we still haven't managed to cause an exception, +// might as well go for the NPE. Or maybe we're okay now? +session = ssl.getSession(); + } + } + + Certificate[] certs = session.getPeerCertificates(); + verifyHostName(host.trim().toLowerCase(), (X509Certificate) certs[0]); + } + /** + * Extract the names from the certificate and tests host matches one of them + * @param host + * @param cert + * @throws SSLException + */ + + private static void verifyHostName(final String host, X509Certificate cert) + throws SSLException { +// I'm okay with being case-insensitive when comparing the host we used +// to establish the socket to the hostname in the certificate. +// Don't trim the CN, though. + + String cn = getCN(cert); + String[] subjectAlts = getDNSSubjectAlts(cert); + verifyHostName(host, cn.toLowerCase(), subjectAlts); + + } + + /** + * Extract all alternative names from a certificate. + * @param cert + *