-
Notifications
You must be signed in to change notification settings - Fork 647
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Hostname verification is not performed #222
Comments
Isn't this one a bug, and quite important? Someone could do a man-in-the-middle attack. Should it not be targeted to 0.7.x? |
Netty HTTP client's `SSLContext` has an underlying `SSLEngine` that doesn't have hostname verification enabled by default. This feature is relying on JDK7+ API. Since Reactor Netty is JDK8+, we can safely enable this by default and remove this code once Netty has moved to JDK8 as a baseline. Closes: reactorgh-222
Netty HTTP client's `SSLContext` has an underlying `SSLEngine` that doesn't have hostname verification enabled by default. This feature is relying on JDK7+ API. Since Reactor Netty is JDK8+, we can safely enable this by default and remove this code once Netty has moved to JDK8 as a baseline. Closes: reactorgh-222
Netty HTTP client's `SSLContext` has an underlying `SSLEngine` that doesn't have hostname verification enabled by default. This feature is relying on JDK7+ API. Since Reactor Netty is JDK8+, we can safely enable this by default and remove this code once Netty has moved to JDK8 as a baseline. Closes: gh-222
I'm not sure if it's related, but I've just seen this error on Spring Boot
|
I don't think Spring Boot has moved to reactor-netty snapshots yet so it's probably not the changes that went into this commit that caused this. |
It could be related if it was the case, @bclozel applied these changes in our own tests otherwise the ssl context wasn't validating self signed certificates: https://github.com/reactor/reactor-netty/pull/275/files#diff-5ff61b23da46920cd9646f1b51d12622R678 |
Spring Boot is still using |
Expected behavior
When connecting to a server and the server returns a valid certificate that doesn't correspond to its DNS name, the connection is accepted. For example: https://wrong.host.badssl.com/
Actual behavior
Hostname verification should be done according to RFC6125 and the connection should be terminated.
Steps to reproduce
Reactor Netty version
0.7.1.RELEASE
JVM version (e.g.
java -version
)1.8.0_152
OS version (e.g.
uname -a
)Windows 10 version 1703
The text was updated successfully, but these errors were encountered: