[ https://issues.apache.org/jira/browse/AMQ-5443?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14324275#comment-14324275 ]
Timothy Bish commented on AMQ-5443: ----------------------------------- Now that we require JDK v1.7 a simpler fix might be to use the HTTPS endpoint identification algorithm when configuring the SSLParameters. {code} if (isVerifyHost()) { SSLParameters sslParameters = engine.getSSLParameters(); sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); engine.setSSLParameters(sslParameters); } {code} We'd be happy to review a patch along these lines, it should have unit tests along with it to validate things work as expected with checking enabled or disabled. > SSL client does not validate server certificate common name > ----------------------------------------------------------- > > Key: AMQ-5443 > URL: https://issues.apache.org/jira/browse/AMQ-5443 > Project: ActiveMQ > Issue Type: Bug > Components: JMS client > Affects Versions: 5.10.0 > Reporter: Allen Hadden > Labels: security > Attachments: MyActiveMQSslConnectionFactory.java > > > When using SSL the server certificate's common name (or subjectAltName) must > be validated in order to prevent a man-in-the-middle attack. The ActiveMQ > client does not do this by default and makes doing so somewhat difficult. > The result is that most applications that use the ActiveMQ client with SSL > are not getting the security they think they are. For a very good > explanation of this hostname verification issue, see > http://tersesystems.com/2014/03/23/fixing-hostname-verification/ > It is worth nothing that ActiveMQ was specifically mentioned in a paper > titled "The Most Dangerous Code in the World: Validating SSL Certificates in > Non-Browser Software" (https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf): > "Java-based Web-services middleware, such as Apache Axis, Axis 2, and > Codehaus XFire, is broken, too. So is the Android library for Pusher > notification API and Apache ActiveMQ implementation of Java Message Service. > All programs employing this middleware are generically insecure." > Also, ActiveMQ is specifically mentioned in CVE-2012-5784 > (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784) as an example > of a library that does not do host name checking. I can't explain why this > hasn't been a bigger deal (am I missing something?). > We have worked around this in our code by providing our own connection > factory class that inherits from ActiveMQSslConnectionFactory. It overrides > the createTrustManager() and setKeyAndTrustManagers(...) methods in order to > "decorate" the real TrustManagers with a check for certificate host name. > Currently, it uses > org.apache.http.conn.ssl.SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER > from the Apache HTTP Client project to verify the host name, which works for > our project because we already use the Apache HTTP Client elsewhere. > I created this issue with a Major priority, although it could be argued that > it's Critical because it's security related and likely to affect so many > people. -- This message was sent by Atlassian JIRA (v6.3.4#6332)