[
https://issues.apache.org/jira/browse/SCB-2188?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mark Thomas resolved SCB-2188.
------------------------------
Resolution: Invalid
This is by design.
The clue is in the name.
> Customized TrustManager bypasses certificate verification
> ---------------------------------------------------------
>
> Key: SCB-2188
> URL: https://issues.apache.org/jira/browse/SCB-2188
> Project: Apache ServiceComb
> Issue Type: Improvement
> Components: Java-Chassis
> Reporter: Ying Zhang
> Priority: Major
>
> In file
> servicecomb-java-chassis/foundations/foundation-ssl/src/main/java/org/apache/servicecomb/foundation/ssl/TrustAllManager.java,
> the customized TrustManger allows all certificates to pass the verification
> (at Line 27).
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to
> implement the certificate validation logic. Bypassing it could allow
> man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic
> instead of allowing all certificates.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
