You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Ya Xiao (Jira)" <ji...@apache.org> on 2021/01/16 23:36:00 UTC

[jira] [Created] (ARTEMIS-3070) Customized TrustManager bypasses certificate verification

Ya Xiao created ARTEMIS-3070:
--------------------------------

             Summary: Customized TrustManager bypasses certificate verification
                 Key: ARTEMIS-3070
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3070
             Project: ActiveMQ Artemis
          Issue Type: Improvement
            Reporter: Ya Xiao


In file [activemq-artemis/tests/artemis-test-support/src/main/java/org/apache/activemq/transport/netty/NettyTransportSupport.java|https://github.com/apache/activemq-artemis/blob/52263663c48082227916cc3477f8892d9f10134b/tests/artemis-test-support/src/main/java/org/apache/activemq/transport/netty/NettyTransportSupport.java], the customized TrustManger allows all certificate to pass the verification (at Line 288).

*Security Impact*:

The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.

*Useful Resources*:

https://cwe.mitre.org/data/definitions/295.html

*Solution we suggest:*

Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. 

*Please share with us your opinions/comments if there is any:*

Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)