You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Gil Messerman (JIRA)" <ax...@ws.apache.org> on 2009/06/10 12:10:07 UTC
[jira] Created: (AXIS-2793) Axis web service client does not
validate server's domain name in server's certificate when calling web
service over SSL
Axis web service client does not validate server's domain name in server's certificate when calling web service over SSL
------------------------------------------------------------------------------------------------------------------------
Key: AXIS-2793
URL: https://issues.apache.org/jira/browse/AXIS-2793
Project: Axis
Issue Type: Bug
Components: Basic Architecture
Affects Versions: 1.4
Environment: Web service client using 1.5 on Sun JDK 1.6
Reporter: Gil Messerman
Axis 1.4 web service client does not validate server's domain name when connecting to web service over SSL. The validations that are performed are whether the certificate is valid, not expired and trusted, but not whether the issued domain matches the server name in the URL. The easiest way to reproduce the problem is to call web service over SSL (with valid certificate) using IP address instead of the domain name that appears in the certificate.
It seems that the problem is due to missing TrustManager in SecureSocketFactory. The implementation of SocketFactory does not create TrustManager unless client authentication is set to true. This might be correct when the Axis is used as web service server (if client authentication is not required, the server does not create trust manager for client's validation) but creates a security problem when Axis is used as client and always should validate the server's certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (AXIS-2793) Axis web service client does not
validate server's domain name in server's certificate when calling web
service over SSL
Posted by "Gil Messerman (JIRA)" <ax...@ws.apache.org>.
[ https://issues.apache.org/jira/browse/AXIS-2793?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gil Messerman updated AXIS-2793:
--------------------------------
Environment: Web service client using Axis 1.4 on Sun JDK 1.6 (was: Web service client using 1.5 on Sun JDK 1.6)
> Axis web service client does not validate server's domain name in server's certificate when calling web service over SSL
> ------------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS-2793
> URL: https://issues.apache.org/jira/browse/AXIS-2793
> Project: Axis
> Issue Type: Bug
> Components: Basic Architecture
> Affects Versions: 1.4
> Environment: Web service client using Axis 1.4 on Sun JDK 1.6
> Reporter: Gil Messerman
>
> Axis 1.4 web service client does not validate server's domain name when connecting to web service over SSL. The validations that are performed are whether the certificate is valid, not expired and trusted, but not whether the issued domain matches the server name in the URL. The easiest way to reproduce the problem is to call web service over SSL (with valid certificate) using IP address instead of the domain name that appears in the certificate.
> It seems that the problem is due to missing TrustManager in SecureSocketFactory. The implementation of SocketFactory does not create TrustManager unless client authentication is set to true. This might be correct when the Axis is used as web service server (if client authentication is not required, the server does not create trust manager for client's validation) but creates a security problem when Axis is used as client and always should validate the server's certificate.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.