You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Alex Rudyy (Jira)" <ji...@apache.org> on 2021/02/01 09:11:00 UTC

[jira] [Commented] (QPID-8499) [Broker-J] Customized TrustManager bypasses certificate verification

    [ https://issues.apache.org/jira/browse/QPID-8499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17276163#comment-17276163 ] 

Alex Rudyy commented on QPID-8499:
----------------------------------

Hi [~rgodfrey]
To be fair I was thinking about deletion of this type of trust store implementation. Though, we can add a check on a port to prevent setting this type of trust store on a port for using it in mutual authentication. I think that should be inline with your comments
{quote}
It would make sense for the implementation to, in some way, indicate that it is not suitable for use as a truststore in the case where it is being used to check the certificate presented by a server on an outbound (from the perspective of the broker) connection, and prevent its use in this way. 
{quote}


The certificate date validation already implemented. though it is a post check. The operation log is issued when certificate expires
{quote}
It should also (if it does not already) validate the current date lies within the start/end dates on the presented certificate .
{quote}
We can improve this further for the SiteSpecificTrustore to check date immediatelly on certificate download and throw an exception if it expires. That should stop SiteSpecificTrustore with an expired certificate from being stored in broker configuration

> [Broker-J] Customized TrustManager bypasses certificate verification
> --------------------------------------------------------------------
>
>                 Key: QPID-8499
>                 URL: https://issues.apache.org/jira/browse/QPID-8499
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>            Reporter: Ya Xiao
>            Priority: Major
>
> We found a security vulnerability in file [qpid-broker-j/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java|https://github.com/apache/qpid-broker-j/blob/a70ed6f5edbcf0e8690447d48a1fe64e599cb703/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java]. The customized TrustManger (at Line 339) allows all certificates to pass the verification.
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> [https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See [here|https://developer.android.com/training/articles/security-ssl] to securely allow self-signed certificates and other common cases.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org