Ying Zhang created SCB-2188:
-------------------------------
Summary: Customized TrustManager bypasses certificate verification
Key: SCB-2188
URL: https://issues.apache.org/jira/browse/SCB-2188
Project: Apache ServiceComb
Issue Type: Improvement
Components: Java-Chassis
Reporter: Ying Zhang
In file
servicecomb-java-chassis/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/TrustAllManager.java,
the customized TrustManger allows all certificates to pass the verification
(at Line 27).
*Security Impact*:
The checkClientTrusted and checkServerTrusted methods are expected to implement
the certificate validation logic. Bypassing it could allow man-in-the-middle
attacks.
*Useful Resources*:
[https://cwe.mitre.org/data/definitions/295.html]
*Solution we suggest:*
Do not customize the TrustManger or specify the certificate validation logic
instead of allowing all certificates.
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
