[ https://issues.apache.org/jira/browse/CMIS-1113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Florian Müller resolved CMIS-1113. ---------------------------------- Resolution: Not A Problem See CMIS-1112. > Customized TrustManager bypasses certificate verification > --------------------------------------------------------- > > Key: CMIS-1113 > URL: https://issues.apache.org/jira/browse/CMIS-1113 > Project: Chemistry > Issue Type: Improvement > Reporter: Ya Xiao > Priority: Major > > We found a security vulnerability in file > [chemistry-opencmis/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java|https://github.com/apache/chemistry-opencmis/blob/9e49c685af9044a64cde0ab111792d74e914f4f2/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java]. > The customized TrustManger (at Line 393) allows all certificates to pass the > verification. > *Security Impact*: > The checkClientTrusted and checkServerTrusted methods are expected to > implement the certificate validation logic. Bypassing it could allow > man-in-the-middle attacks. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/295.html] > *Solution we suggest:* > Do not customize the TrustManger or specify the certificate validation logic > instead of allowing all certificates. To accept self-signed certificates, a > proper way is to configure the trust store (see > https://developer.android.com/training/articles/security-ssl#SelfSigned). > Adding the certificate or its signer in the trust store can allow the > self-signed certificate as well as avoiding SSL spoofing. > *Please share with us your opinions/comments if there is any:* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)