Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Information Provided
-
None
-
None
-
None
-
None
Description
The examples ClientCustomSSL and AsyncClientCustomSSL both have a Javadoc comment which says:
This example demonstrates how to create secure connections with a custom SSL context.
However, this is misleading or even incorrect because the code below does the following:
.loadTrustMaterial((chain, authType) -> {
final X509Certificate cert = chain[0];
return "CN=httpbin.org".equalsIgnoreCase(cert.getSubjectDN().getName());
})
This accepts the certificate as long as the subject matches, without properly validating it at all, allowing man-in-the-middle attacks.
This can for example be seen with the various https://badssl.com/ subdomains. For example changing in the example the URL to https://self-signed.badssl.com/ and changing the expected subject to "CN=*.badssl.com, O=BadSSL, L=San Francisco, ST=California, C=US" still successfully creates the connection, even though the certificate is self-signed and could have been issued by a malicious actor performing a MITM attack.
Ideally this section with the custom TrustStrategy should be removed because it is not even necessary for this example to work.
Or if you want to keep this, then there should be a big "WARNING: ..." comment in this line. Otherwise users might erroneously think a custom TrustStrategy is needed for TLS to work, or they might just keep this example code because their code "works", without understanding the consequences of this.
