-
-
Notifications
You must be signed in to change notification settings - Fork 15.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cryptographic Issue #9032
Comments
Sorry but you will have to provide more details. |
Veracode vulnerability analysis reports vulnerability at line no 69 in OpenSslX509TrustManagerWrapper.java ie
` We assume that in the above overridden methods doesn't have any implementation which might be causing the vulnerability issue. |
@sureshkrishnamoorthy this is not a "valid report" as this is only used to test if a wrapper is applied and is never used to actual verify certificates at the end. That said I can make this go away easily. Let me do this to make things "easier" for you. |
…ccept Motivation: Seems like some analyzer / validation tools scan code to detect if it may produce some security risk because of just blindly accept certificates. Such a tool did tag our code because we have such an implementation (which then is actually never be used). We should just change the impl to not do this as it does not matter for us and it makes such tools happier. Modifications: Throw CertificateException Result: Fixes #9032
@sureshkrishnamoorthy fixed by #9041 |
…ccept (#9041) Motivation: Seems like some analyzer / validation tools scan code to detect if it may produce some security risk because of just blindly accept certificates. Such a tool did tag our code because we have such an implementation (which then is actually never be used). We should just change the impl to not do this as it does not matter for us and it makes such tools happier. Modifications: Throw CertificateException Result: Fixes #9032
…ccept (#9041) Motivation: Seems like some analyzer / validation tools scan code to detect if it may produce some security risk because of just blindly accept certificates. Such a tool did tag our code because we have such an implementation (which then is actually never be used). We should just change the impl to not do this as it does not matter for us and it makes such tools happier. Modifications: Throw CertificateException Result: Fixes #9032
@normanmaurer Thank you so much for quick response and action. Do we have the release date for 4.1.35.Final version ? |
…ccept (netty#9041) Motivation: Seems like some analyzer / validation tools scan code to detect if it may produce some security risk because of just blindly accept certificates. Such a tool did tag our code because we have such an implementation (which then is actually never be used). We should just change the impl to not do this as it does not matter for us and it makes such tools happier. Modifications: Throw CertificateException Result: Fixes (netty#9032)
Software quality and security analysis tool (Veracode) reports an error "Improper Validation of Certificate with Host Mismatch (CWE ID 297)(1 flaw)" in
https://github.com/netty/netty/blob/netty-4.1.34.Final/handler/src/main/java/io/netty/handler/ssl/OpenSslX509TrustManagerWrapper.java
Description : The failure to validate host-specific certificate data may mean that, while the certificate read was valid, it was not for the site originally requested.
Netty version : 4.1.34.Final
Please let us know if it is a valid issue, if
yes, please suggest how to mitigate this.
no, please provide justification
The text was updated successfully, but these errors were encountered: