You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Simon Arlott (JIRA)" <ji...@apache.org> on 2015/08/22 11:14:45 UTC

[jira] [Created] (NET-579) SSL/TLS SocketClients do not verify the hostname against the certificate

Simon Arlott created NET-579:
--------------------------------

             Summary: SSL/TLS SocketClients do not verify the hostname against the certificate
                 Key: NET-579
                 URL: https://issues.apache.org/jira/browse/NET-579
             Project: Commons Net
          Issue Type: Bug
          Components: FTP, IMAP, POP3, SMTP
    Affects Versions: 3.3
         Environment: Java 1.7 (earlier versions cannot verify the hostname)
            Reporter: Simon Arlott
            Priority: Critical


Every subclass of SocketClient that does SSL/TLS will never verify the hostname of the server against the certificate. This means that any valid certificate for any CA in the default trust store will be accepted without error.

SocketClient should be modified to store the hostname, and SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating SSL/TLS.

Java 1.7 has support for verifying the hostname if SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)