[ https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Simon Arlott updated NET-579: ----------------------------- Attachment: NET-579.patch > SSL/TLS SocketClients do not verify the hostname against the certificate > ------------------------------------------------------------------------ > > Key: NET-579 > URL: https://issues.apache.org/jira/browse/NET-579 > Project: Commons Net > Issue Type: Bug > Components: FTP, IMAP, POP3, SMTP > Affects Versions: 3.3 > Environment: Java 1.7 (earlier versions cannot verify the hostname) > Reporter: Simon Arlott > Priority: Critical > Labels: security > Attachments: NET-579.patch > > Original Estimate: 2h > Remaining Estimate: 2h > > Every subclass of SocketClient that does SSL/TLS will never verify the > hostname of the server against the certificate. This means that any valid > certificate for any CA in the default trust store will be accepted without > error. > SocketClient should be modified to store the hostname, and > SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating > SSL/TLS. > Java 1.7 has support for verifying the hostname if > SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used. -- This message was sent by Atlassian JIRA (v6.3.4#6332)