Ying Zhang created SCB-2188: ------------------------------- Summary: Customized TrustManager bypasses certificate verification Key: SCB-2188 URL: https://issues.apache.org/jira/browse/SCB-2188 Project: Apache ServiceComb Issue Type: Improvement Components: Java-Chassis Reporter: Ying Zhang
In file servicecomb-java-chassis/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/TrustAllManager.java, the customized TrustManger allows all certificates to pass the verification (at Line 27). *Security Impact*: The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks. *Useful Resources*: [https://cwe.mitre.org/data/definitions/295.html] *Solution we suggest:* Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. *Please share with us your opinions/comments if there is any:* Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)