On Wed, 13 Nov 2019 15:55:18 +0100 Laurent Bigonville <[email protected]>
wrote:
> Hi,
>
> Except if I'm severly mistaken, it seems that jconsole does not
verify the
> domain name nor check whether the CA is trusted when connecting to a JVM
> that has SSL enabled for JMX.
>
> This can lead to MITM and stealing of the credentials used to connect to
> JMX.
Little correction here.
jconsole does verify that the CA is trusted. My confusion comes from
#767272 and the fact that ca-certificates-java is not cleaning the
removed certificates from the java trusted store.
But I can confirm that jconsole is not checking the CN/AltNames of the
certificate (if I'm using the IP instead of the DNS name the connection
is still happening without warnings)
_______________________________________________
Mailing list: https://launchpad.net/~openjdk
Post to : [email protected]
Unsubscribe : https://launchpad.net/~openjdk
More help : https://help.launchpad.net/ListHelp
