[
https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Simon Arlott updated NET-579:
-----------------------------
Attachment: NET-579_2.patch
This patch adds setEndpointCheckingEnabled() for use with Java 1.7+ and
setHostnameVerifier() for use with older JVMs and Android.
It's not enabled by default, primarily because the default implementation of
HostnameVerifier that Java provides always returns false...
> SSL/TLS SocketClients do not verify the hostname against the certificate
> ------------------------------------------------------------------------
>
> Key: NET-579
> URL: https://issues.apache.org/jira/browse/NET-579
> Project: Commons Net
> Issue Type: Bug
> Components: FTP, IMAP, POP3, SMTP
> Affects Versions: 3.3
> Environment: Java 1.7 (earlier versions cannot verify the hostname)
> Reporter: Simon Arlott
> Priority: Critical
> Labels: security
> Attachments: NET-579.patch, NET-579_2.patch
>
> Original Estimate: 2h
> Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the
> hostname of the server against the certificate. This means that any valid
> certificate for any CA in the default trust store will be accepted without
> error.
> SocketClient should be modified to store the hostname, and
> SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating
> SSL/TLS.
> Java 1.7 has support for verifying the hostname if
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
