You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Freeman Yue Fang (Jira)" <ji...@apache.org> on 2021/03/17 22:04:00 UTC
[jira] [Commented] (CXF-8437) DefaultHostnameVerifier ccepts any
certificate as valid which is a secure issue
[ https://issues.apache.org/jira/browse/CXF-8437?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17303751#comment-17303751 ]
Freeman Yue Fang commented on CXF-8437:
---------------------------------------
Hi Alan,
I believe this issue is fixed by CXF-8415.
Seems your PR isn't against the latest CXF 3.4.x code. The method in question now is like
{code}
@Override
public boolean verify(final String host, final SSLSession session) {
try {
final Certificate[] certs = session.getPeerCertificates();
final X509Certificate x509 = (X509Certificate) certs[0];
verify(host, x509);
return true;
} catch (final SSLException ex) {
if (LOG.isLoggable(Level.FINE)) {
LOG.log(Level.FINE, ex.getMessage(), ex);
}
return false;
}
}
{code}
So it's not always return true.
Best Regards
Freeman
> DefaultHostnameVerifier ccepts any certificate as valid which is a secure issue
> ---------------------------------------------------------------------------------
>
> Key: CXF-8437
> URL: https://issues.apache.org/jira/browse/CXF-8437
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 3.4.2
> Reporter: Alan Mehio
> Assignee: Freeman Yue Fang
> Priority: Minor
>
> The GitHub code scanning is flagging an error[ see|[https://github.com/apache/cxf/pull/755/checks?check_run_id=2125425364]]
> for this security issue [unsafe hostname verification|https://codeql.github.com/codeql-query-help/java/java-unsafe-hostname-verification/]
> from CodeQL documenation.
> Any idea if the Github new annotation on unchanged files is helping or it is disturbing
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)