From d1e2c2f2c848a042854d38bd0f3c2ec323f47a6b Mon Sep 17 00:00:00 2001 From: Edwin Kempin Date: Sun, 13 Mar 2016 10:24:17 +0100 Subject: [PATCH] Fix SSL security issue in the SMTP email relay code The hostname of the SSL socket was not verified. This made the read from the socket insecure since without verifying the hostname it may be vulnerable to a man-in-the-middle attack as described in [1]. This issue was reported by Sam Blackshear and Jules Villard from the Infer static analysis team at Facebook and it was detected by running Infer [2] on the Gerrit code base. As described in [3] Java 7 has a mechanism to verify the identity of the certificate directly as part of the SSLSocket/SSLEngine API, and with this change we make use of it to verify the hostname. I discussed this with Shawn and we decided to develop this fix in open source since the issue is in a non-critical part of Gerrit. [1] https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf [2] http://fbinfer.com/ [3] http://stackoverflow.com/questions/17972658/sslsocket-ignores-domain-mismatch/17979954#17979954 Change-Id: I0a06c8e4791a5cd3fa776d4a8250b889678b3c32 Signed-off-by: Edwin Kempin --- .../java/org/apache/commons/net/smtp/AuthSMTPClient.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/gerrit-patch-commonsnet/src/main/java/org/apache/commons/net/smtp/AuthSMTPClient.java b/gerrit-patch-commonsnet/src/main/java/org/apache/commons/net/smtp/AuthSMTPClient.java index c5a9d0c559..ece982da8a 100644 --- a/gerrit-patch-commonsnet/src/main/java/org/apache/commons/net/smtp/AuthSMTPClient.java +++ b/gerrit-patch-commonsnet/src/main/java/org/apache/commons/net/smtp/AuthSMTPClient.java @@ -34,6 +34,8 @@ import java.util.List; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; +import javax.net.ssl.SSLParameters; +import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocketFactory; public class AuthSMTPClient extends SMTPClient { @@ -55,6 +57,10 @@ public class AuthSMTPClient extends SMTPClient { _socket_ = sslFactory(verify).createSocket(_socket_, hostname, port, true); + SSLParameters sslParams = new SSLParameters(); + sslParams.setEndpointIdentificationAlgorithm("HTTPS"); + ((SSLSocket)_socket_).setSSLParameters(sslParams); + // XXX: Can't call _connectAction_() because SMTP server doesn't // give banner information again after STARTTLS, thus SMTP._connectAction_() // will wait on __getReply() forever, see source code of commons-net-2.2.