[jira] [Updated] (NET-579) SSL/TLS SocketClients do not verify the hostname against the certificate

2015-11-26 Thread Sebb (JIRA)

 [ 
https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sebb updated NET-579:
-
Fix Version/s: 3.4

> SSL/TLS SocketClients do not verify the hostname against the certificate
> 
>
> Key: NET-579
> URL: https://issues.apache.org/jira/browse/NET-579
> Project: Commons Net
>  Issue Type: Bug
>  Components: FTP, IMAP, POP3, SMTP
>Affects Versions: 3.3
> Environment: Java 1.7 (earlier versions cannot verify the hostname)
>Reporter: Simon Arlott
>Priority: Critical
>  Labels: security
> Fix For: 3.4
>
> Attachments: NET-579.patch, NET-579_2.patch
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the 
> hostname of the server against the certificate. This means that any valid 
> certificate for any CA in the default trust store will be accepted without 
> error.
> SocketClient should be modified to store the hostname, and 
> SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating 
> SSL/TLS.
> Java 1.7 has support for verifying the hostname if 
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Updated] (NET-579) SSL/TLS SocketClients do not verify the hostname against the certificate

2015-08-23 Thread Simon Arlott (JIRA)

 [ 
https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Simon Arlott updated NET-579:
-
Attachment: NET-579_2.patch

This patch adds setEndpointCheckingEnabled() for use with Java 1.7+ and 
setHostnameVerifier() for use with older JVMs and Android.

It's not enabled by default, primarily because the default implementation of 
HostnameVerifier that Java provides always returns false...

> SSL/TLS SocketClients do not verify the hostname against the certificate
> 
>
> Key: NET-579
> URL: https://issues.apache.org/jira/browse/NET-579
> Project: Commons Net
>  Issue Type: Bug
>  Components: FTP, IMAP, POP3, SMTP
>Affects Versions: 3.3
> Environment: Java 1.7 (earlier versions cannot verify the hostname)
>Reporter: Simon Arlott
>Priority: Critical
>  Labels: security
> Attachments: NET-579.patch, NET-579_2.patch
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the 
> hostname of the server against the certificate. This means that any valid 
> certificate for any CA in the default trust store will be accepted without 
> error.
> SocketClient should be modified to store the hostname, and 
> SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating 
> SSL/TLS.
> Java 1.7 has support for verifying the hostname if 
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Updated] (NET-579) SSL/TLS SocketClients do not verify the hostname against the certificate

2015-08-22 Thread Simon Arlott (JIRA)

 [ 
https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Simon Arlott updated NET-579:
-
Attachment: (was: NET-579.patch)

> SSL/TLS SocketClients do not verify the hostname against the certificate
> 
>
> Key: NET-579
> URL: https://issues.apache.org/jira/browse/NET-579
> Project: Commons Net
>  Issue Type: Bug
>  Components: FTP, IMAP, POP3, SMTP
>Affects Versions: 3.3
> Environment: Java 1.7 (earlier versions cannot verify the hostname)
>Reporter: Simon Arlott
>Priority: Critical
>  Labels: security
> Attachments: NET-579.patch
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the 
> hostname of the server against the certificate. This means that any valid 
> certificate for any CA in the default trust store will be accepted without 
> error.
> SocketClient should be modified to store the hostname, and 
> SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating 
> SSL/TLS.
> Java 1.7 has support for verifying the hostname if 
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Updated] (NET-579) SSL/TLS SocketClients do not verify the hostname against the certificate

2015-08-22 Thread Simon Arlott (JIRA)

 [ 
https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Simon Arlott updated NET-579:
-
Attachment: NET-579.patch

> SSL/TLS SocketClients do not verify the hostname against the certificate
> 
>
> Key: NET-579
> URL: https://issues.apache.org/jira/browse/NET-579
> Project: Commons Net
>  Issue Type: Bug
>  Components: FTP, IMAP, POP3, SMTP
>Affects Versions: 3.3
> Environment: Java 1.7 (earlier versions cannot verify the hostname)
>Reporter: Simon Arlott
>Priority: Critical
>  Labels: security
> Attachments: NET-579.patch
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the 
> hostname of the server against the certificate. This means that any valid 
> certificate for any CA in the default trust store will be accepted without 
> error.
> SocketClient should be modified to store the hostname, and 
> SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating 
> SSL/TLS.
> Java 1.7 has support for verifying the hostname if 
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[jira] [Updated] (NET-579) SSL/TLS SocketClients do not verify the hostname against the certificate

2015-08-22 Thread Simon Arlott (JIRA)

 [ 
https://issues.apache.org/jira/browse/NET-579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Simon Arlott updated NET-579:
-
Attachment: NET-579.patch

> SSL/TLS SocketClients do not verify the hostname against the certificate
> 
>
> Key: NET-579
> URL: https://issues.apache.org/jira/browse/NET-579
> Project: Commons Net
>  Issue Type: Bug
>  Components: FTP, IMAP, POP3, SMTP
>Affects Versions: 3.3
> Environment: Java 1.7 (earlier versions cannot verify the hostname)
>Reporter: Simon Arlott
>Priority: Critical
>  Labels: security
> Attachments: NET-579.patch
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> Every subclass of SocketClient that does SSL/TLS will never verify the 
> hostname of the server against the certificate. This means that any valid 
> certificate for any CA in the default trust store will be accepted without 
> error.
> SocketClient should be modified to store the hostname, and 
> SMTPSClient/FTPSClient/IMAPSClient/POP3SClient should use it when negotiating 
> SSL/TLS.
> Java 1.7 has support for verifying the hostname if 
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") is used.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)