Hi, in the user guide to commons email http://commons.apache.org/proper/commons-email/userguide.html
I found the rather surprising statement: "When using a secured transport (STARTTLS or SSL) you can force validating the server's certificate by calling Email.setSSLCheckServerIdentity(true). Having said that this does not seem to work on any of my test servers (GMAIL, GMX)." I can confirm that my code also does not complain when I test it against a server with a self signed certificate. setSSLCeckServerIdentity not working means that commons email is vulnerable to MiTM attacks. Is there a fix for this? Am I doing something wrong? Some misunderstanding? Any workaround? Is the user guide wrong? [ I would not discuss such a security issue on a public mailing list, if it wasn't already disclosed in the user guide ] Thanks Carl
