Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSLUtil should not allow trusting all certificates #2

Open
varrunr opened this issue Aug 20, 2014 · 1 comment
Open

SSLUtil should not allow trusting all certificates #2

varrunr opened this issue Aug 20, 2014 · 1 comment

Comments

@varrunr
Copy link

varrunr commented Aug 20, 2014

AllTrustManager trusts all certificates by default. SSL is basically useless without the concept of trust.
This is an example of bad SSL implementation and can lead to a man-in-the-middle attack. See http://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html for more

@chrisdail
Copy link
Contributor

ViPR installs with self-signed certificates so there is no concept of trust in a default install. This is provided as a convenience for default installations that did not sign certificates for use in the system. Also, the ssl factory can be overridden with a custom version which is what is recommended.

I will look to remove the trust all as a default setting for the 2.1 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants