dxbjavid opened a new pull request, #404: URL: https://github.com/apache/commons-net/pull/404
When a hostname verifier is installed through setHostnameVerifier, FTPSClient only runs it during the control-connection handshake in sslNegotiation; the data connection opened for each transfer completes its TLS handshake in _openDataConnection_ without ever calling the verifier. As the default trust manager only checks that the certificate is in date and not that the name matches, an in-path attacker on the data port can present any unexpired certificate and the transferred bytes are read or altered even though the caller asked for the server identity to be checked. This runs the same verifier against _hostname_ on the data socket after its handshake, so the data channel honours the check already applied to the control channel. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
