You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Oliver Lietz (Jira)" <ji...@apache.org> on 2021/12/16 08:57:00 UTC

[jira] [Updated] (SLING-10965) Support server identity check

     [ https://issues.apache.org/jira/browse/SLING-10965?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oliver Lietz updated SLING-10965:
---------------------------------
    Description: 
This new feature adds support for enabling server identity checks and these checks are enabled by default.

A security issue ("SMTPS server hostname not checked when making TLS connection to SMTPS server") was reported by Michael Lescisin and accepted by the project. The issue is tracked as CVE-2021-44549.

The checks are still not enabled by default in the underlying Jakarta Mail, see [Hostname validation for certificates should be enabled by default|https://github.com/eclipse-ee4j/mail/issues/429].

The {{SimpleMailService}} in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session.
A user could enable these checks nevertheless by accessing the session via the message created by {{SimpleMessageBuilder}} and setting the property {{mail.smtps.ssl.checkserveridentity}} to {{true}}:

{noformat}
    MimeMessage message = mailService.getMessageBuilder().build();
    message.getSession().getProperties().setProperty("mail.smtps.ssl.checkserveridentity", "true");
{noformat}

See also [SSLNOTES|https://eclipse-ee4j.github.io/mail/docs/SSLNOTES.txt]:

??Server Identity Check RFC 2595 specifies addition checks that must be performed on the server's certificate to ensure that the server you connected to is the server you intended to connect to. This reduces the risk of "man in the middle" attacks. For compatibility with earlier releases of Jakarta Mail, these additional checks are disabled by default. We strongly recommend that you enable these checks when using SSL. To enable these checks, set the "mail.<protocol>.ssl.checkserveridentity" property to "true".??


  was:
??Server Identity Check RFC 2595 specifies addition checks that must be performed on the server's certificate to ensure that the server you connected to is the server you intended to connect to. This reduces the risk of "man in the middle" attacks. For compatibility with earlier releases of Jakarta Mail, these additional checks are disabled by default. We strongly recommend that you enable these checks when using SSL. To enable these checks, set the "mail.<protocol>.ssl.checkserveridentity" property to "true".??

[https://eclipse-ee4j.github.io/mail/docs/SSLNOTES.txt]


> Support server identity check
> -----------------------------
>
>                 Key: SLING-10965
>                 URL: https://issues.apache.org/jira/browse/SLING-10965
>             Project: Sling
>          Issue Type: New Feature
>          Components: Commons
>            Reporter: Oliver Lietz
>            Assignee: Oliver Lietz
>            Priority: Critical
>             Fix For: Commons Messaging Mail 2.0.0
>
>
> This new feature adds support for enabling server identity checks and these checks are enabled by default.
> A security issue ("SMTPS server hostname not checked when making TLS connection to SMTPS server") was reported by Michael Lescisin and accepted by the project. The issue is tracked as CVE-2021-44549.
> The checks are still not enabled by default in the underlying Jakarta Mail, see [Hostname validation for certificates should be enabled by default|https://github.com/eclipse-ee4j/mail/issues/429].
> The {{SimpleMailService}} in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session.
> A user could enable these checks nevertheless by accessing the session via the message created by {{SimpleMessageBuilder}} and setting the property {{mail.smtps.ssl.checkserveridentity}} to {{true}}:
> {noformat}
>     MimeMessage message = mailService.getMessageBuilder().build();
>     message.getSession().getProperties().setProperty("mail.smtps.ssl.checkserveridentity", "true");
> {noformat}
> See also [SSLNOTES|https://eclipse-ee4j.github.io/mail/docs/SSLNOTES.txt]:
> ??Server Identity Check RFC 2595 specifies addition checks that must be performed on the server's certificate to ensure that the server you connected to is the server you intended to connect to. This reduces the risk of "man in the middle" attacks. For compatibility with earlier releases of Jakarta Mail, these additional checks are disabled by default. We strongly recommend that you enable these checks when using SSL. To enable these checks, set the "mail.<protocol>.ssl.checkserveridentity" property to "true".??



--
This message was sent by Atlassian Jira
(v8.20.1#820001)