You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Simon Arlott (JIRA)" <ji...@apache.org> on 2015/08/22 11:14:45 UTC
[jira] [Created] (NET-579) SSL/TLS SocketClients do not verify the
hostname against the certificate
Simon Arlott created NET-579:
--------------------------------
Summary: SSL/TLS SocketClients do not verify the hostname against the certificate
Key: NET-579
URL: https://issues.apache.org/jira/browse/NET-579
Project: Commons Net
Issue Type: Bug
Components: FTP, IMAP, POP3, SMTP
Affects Versions: 3.3
Environment: Java 1.7 (earlier versions cannot verify the hostname)
Reporter: Simon Arlott
Priority: Critical
Every subclass of SocketClient that does SSL/TLS will never verify the hostname of the server against the certificate. This means that any valid certificate for any CA in the default trust store will be accepted without error.
SocketClient should be modified to store the hostname, and SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating SSL/TLS.
Java 1.7 has support for verifying the hostname if SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)