dxbjavid opened a new pull request, #404:
URL: https://github.com/apache/commons-net/pull/404

   When a hostname verifier is installed through setHostnameVerifier, 
FTPSClient only runs it during the control-connection handshake in 
sslNegotiation; the data connection opened for each transfer completes its TLS 
handshake in _openDataConnection_ without ever calling the verifier. As the 
default trust manager only checks that the certificate is in date and not that 
the name matches, an in-path attacker on the data port can present any 
unexpired certificate and the transferred bytes are read or altered even though 
the caller asked for the server identity to be checked. This runs the same 
verifier against _hostname_ on the data socket after its handshake, so the data 
channel honours the check already applied to the control channel.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to