[
https://issues.apache.org/jira/browse/QPID-8499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17276163#comment-17276163
]
Alex Rudyy commented on QPID-8499:
----------------------------------
Hi [~rgodfrey]
To be fair I was thinking about deletion of this type of trust store
implementation. Though, we can add a check on a port to prevent setting this
type of trust store on a port for using it in mutual authentication. I think
that should be inline with your comments
{quote}
It would make sense for the implementation to, in some way, indicate that it is
not suitable for use as a truststore in the case where it is being used to
check the certificate presented by a server on an outbound (from the
perspective of the broker) connection, and prevent its use in this way.
{quote}
The certificate date validation already implemented. though it is a post check.
The operation log is issued when certificate expires
{quote}
It should also (if it does not already) validate the current date lies within
the start/end dates on the presented certificate .
{quote}
We can improve this further for the SiteSpecificTrustore to check date
immediatelly on certificate download and throw an exception if it expires. That
should stop SiteSpecificTrustore with an expired certificate from being stored
in broker configuration
> [Broker-J] Customized TrustManager bypasses certificate verification
> --------------------------------------------------------------------
>
> Key: QPID-8499
> URL: https://issues.apache.org/jira/browse/QPID-8499
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Ya Xiao
> Priority: Major
>
> We found a security vulnerability in file
> [qpid-broker-j/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java|https://github.com/apache/qpid-broker-j/blob/a70ed6f5edbcf0e8690447d48a1fe64e599cb703/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java].
> The customized TrustManger (at Line 339) allows all certificates to pass the
> verification.
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to
> implement the certificate validation logic. Bypassing it could allow
> man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> [https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic
> instead of allowing all certificates. See
> [here|https://developer.android.com/training/articles/security-ssl] to
> securely allow self-signed certificates and other common cases.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
