[jira] [Created] (QPID-8499) Customized TrustManager bypasses certificate verification

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (QPID-8499) Customized TrustManager bypasses certificate verification

ASF subversion and git services (Jira)
Ya Xiao created QPID-8499:
-----------------------------

             Summary: Customized TrustManager bypasses certificate verification
                 Key: QPID-8499
                 URL: https://issues.apache.org/jira/browse/QPID-8499
             Project: Qpid
          Issue Type: Improvement
            Reporter: Ya Xiao


We found a security vulnerability in file [qpid-broker-j/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java|https://github.com/apache/qpid-broker-j/blob/a70ed6f5edbcf0e8690447d48a1fe64e599cb703/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java]. The customized TrustManger (at Line 339) allows all certificates to pass the verification.

*Security Impact*:

The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.

*Useful Resources*:

[https://cwe.mitre.org/data/definitions/295.html]

[https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]

*Solution we suggest:*

Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See [here|https://developer.android.com/training/articles/security-ssl] to securely allow self-signed certificates and other common cases.

*Please share with us your opinions/comments if there is any:*

Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]