-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hostname validation for certificates should be enabled by default #429
Comments
Absolutely! |
The goal of Jakarta Mail 2.0.0 is to be identical to Jakarta Mail 1.6.5, except for the package name change. This is a good thing to consider for Jakarta Mail 2.0.1. |
@IntegralProgrammer reported a security issue at Apache Sling for module Commons Messaging Mail. Server identity checks are now enabled by default to protect our users: Support server identity check @lukasj, Should we create a PR to get it into the next release? |
@oliverlietz yes, please. Note that if this is an issue in the implementation code, then the PR belongs to https://github.com/eclipse-ee4j/angus-mail/, this repo hosts |
JavaMail 1.0 specifications has hostname validation of certificates disabled by default [1]. This is a very insecure default configuration, and opposite to what would be expected as a default.
As part of Jakarta Mail 2.0 this should be changed to be secure by default.
[1] mail.smtp.ssl.checkserveridentity defaults to false
The text was updated successfully, but these errors were encountered: