Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Totally insecure SSL defaults #70

Closed
pasieronen opened this issue Nov 12, 2013 · 7 comments
Closed

Totally insecure SSL defaults #70

pasieronen opened this issue Nov 12, 2013 · 7 comments
Labels
bug security
Milestone
0.11.4

Comments

@pasieronen
Copy link

It seems that Dispatch by default accepts all SSL certificates (that is, does not check the certificate at all).

(Tested with dispatch-core_2.10-0.11.0.jar, async-http-client-1.7.16.jar, netty-3.6.3.Final.jar)

It seems this default behavior comes from AsyncHttpClient's Netty provider. Personally, I don't think this is a good default (see e.g. https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html), but at the very least, Dispatch documentation should mention this (and include example how to configure SSL properly -- something that AsyncHttpClient's docs seem to omit).
@softprops
Copy link
Contributor

It seems this default behavior comes from AsyncHttpClient's Netty provider

It may be beneficial for you others to re-post this issue in that library's issue tracker. Here's the repo. The benefit of doing so is that dispatch and all other libraries built on top of async http client can pick up the upstream fix.

related

@n8han
Copy link

n8han commented Nov 12, 2013

But feel free to send pull requests here as well.

@hgiddens
Copy link

As of 0.11.3, this seems to be fixed (due to a Netty provider change?).

@francisdb francisdb mentioned this issue Sep 3, 2015
Closed
@ghost
Copy link

ghost commented Oct 8, 2015

Ran into this: AsyncHttpClient/async-http-client#991

Dispatch still uses SSLv2 and SSLv3 so this issue is definitely not done. If you guys upgrade to AsyncHttpClient 1.9.31 instead, this will fix the issue, as AHC will provide sane enabledProtocol defaults.

@ghost
Copy link

ghost commented Oct 8, 2015

Alternative workaround is to manually bump your AHC version to 1.9.31 in sbt/gradle/maven/etc:

Or put this:

    val config = new AsyncHttpClientConfig.Builder()
      .setUserAgent("Dispatch/%s" format BuildInfo.version)
      .setEnabledProtocols(Array[String]("TLSv1.2", "TLSv1.1", "TLSv1"))
      .build

    val client = new AsyncHttpClient(config)
    Http(client)

@farmdawgnation
Copy link
Member

Dispatch >= 0.12.x is using a version of AHC that should have this bug fixed.

Given the nature of this bug I'm going to classify this as a critical security issue and issue a build named 0.11.4 that upgrades the AHC client for that version to 1.9.40.

@farmdawgnation farmdawgnation modified the milestone: 0.11.4 Jul 3, 2017
@farmdawgnation
Copy link
Member

Dispatch v0.11.4 has been released and should be on Maven Central shortly. AHC has been bumped to verison 1.19.40 in that release, which should resolve this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Milestone
0.11.4
Development

No branches or pull requests
5 participants
@softprops @n8han @hgiddens @farmdawgnation @pasieronen