New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Totally insecure SSL defaults #70
Comments
It may be beneficial for you others to re-post this issue in that library's issue tracker. Here's the repo. The benefit of doing so is that dispatch and all other libraries built on top of async http client can pick up the upstream fix. related |
But feel free to send pull requests here as well. |
As of 0.11.3, this seems to be fixed (due to a Netty provider change?). |
Ran into this: AsyncHttpClient/async-http-client#991 Dispatch still uses SSLv2 and SSLv3 so this issue is definitely not done. If you guys upgrade to AsyncHttpClient 1.9.31 instead, this will fix the issue, as AHC will provide sane enabledProtocol defaults. |
Alternative workaround is to manually bump your AHC version to 1.9.31 in sbt/gradle/maven/etc: Or put this:
|
Dispatch >= 0.12.x is using a version of AHC that should have this bug fixed. Given the nature of this bug I'm going to classify this as a critical security issue and issue a build named 0.11.4 that upgrades the AHC client for that version to 1.9.40. |
Dispatch v0.11.4 has been released and should be on Maven Central shortly. AHC has been bumped to verison 1.19.40 in that release, which should resolve this issue. |
It seems that Dispatch by default accepts all SSL certificates (that is, does not check the certificate at all).
(Tested with dispatch-core_2.10-0.11.0.jar, async-http-client-1.7.16.jar, netty-3.6.3.Final.jar)
It seems this default behavior comes from AsyncHttpClient's Netty provider. Personally, I don't think this is a good default (see e.g. https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html), but at the very least, Dispatch documentation should mention this (and include example how to configure SSL properly -- something that AsyncHttpClient's docs seem to omit).
The text was updated successfully, but these errors were encountered: