- TLSProtocolSocketFactory should not verify hostname from SSLSession getPeerHost()JOWS-47Resolved issue: JOWS-47Brent Putman
- CVE-2012-6153 & CVE-2014-3577 via commons-httpclient:commons-httpclient v3.1JOWS-46Resolved issue: JOWS-46Brent Putman
- Allow specification of method to use for existance check in HttpResourceJOWS-45Resolved issue: JOWS-45Brent Putman
- Clean up use of JSSE API in TLSProtocolSocketFactoryJOWS-44Resolved issue: JOWS-44Brent Putman
- HttpClientBuilder does not default socket timeoutJOWS-43Resolved issue: JOWS-43Brent Putman
- HttpResource internal HttpClient does not have connection or socket timeoutsJOWS-42Resolved issue: JOWS-42Brent Putman
- CancelTargetImpl setUnknownXMLObject method doesn't correctly process argumentJOWS-40Resolved issue: JOWS-40Brent Putman
- HttpClientBuilder is setting a global Protocol and socket factory for 'https' schemeJOWS-38Resolved issue: JOWS-38Brent Putman
- FileBackedHttpResource does not properly read backup file, during initialization, if remote file is unreachableJOWS-37Resolved issue: JOWS-37Brent Putman
- WS-Trust OnBehalfOf provider is misimplemented, should support a sequence of wildcard children rather than a single child.JOWS-36Resolved issue: JOWS-36Brent Putman
- HTTPS scheme in FileBackedHTTPMetadataProvider does not perform hostname verificationJOWS-39Resolved issue: JOWS-39Brent Putman
- Clean up maven assembly descriptionJOWS-35Resolved issue: JOWS-35ChadC
- Update dependenciesJOWS-34Resolved issue: JOWS-34ChadC
- HttpResource does not properly release HTTP connnectionsJOWS-33Resolved issue: JOWS-33ChadC
- Inconsitency in getStatusCode result in HttpServletRequestAdapterJOWS-32Resolved issue: JOWS-32Brent Putman
- Failed test on Windows: testGetLocation(org.opensaml.util.resource.FilesystemResourceTest): expected:</...> but was:<C:\...>JOWS-31Resolved issue: JOWS-31ChadC
- Update POM for Shib.net Repo and attach generate JavadocsJOWS-30Resolved issue: JOWS-30ChadC
- Some pom changes for OpenWSJOWS-29Resolved issue: JOWS-29ChadC
- SOAP11Encoder doesn't encode original SOAP messageJOWS-28Resolved issue: JOWS-28ChadC
- BaseMessageDecoder logging of protocol messages assumes a DOMJOWS-27Resolved issue: JOWS-27Scott Cantor
- KeyIdentifierMarshaller uses an incorrect attribute nameJOWS-26Resolved issue: JOWS-26ChadC
- Objects are not signable xmlJOWS-25Resolved issue: JOWS-25ChadC
- StorageServiceSweeper can throw exception, causing the entire TaskTimer to dieJOWS-24Resolved issue: JOWS-24ChadC
- Update libs for 1.4.1JOWS-23Resolved issue: JOWS-23ChadC
- Static helper classes should not use static LoggersJOWS-22Resolved issue: JOWS-22Brent Putman
- Update 3rd party libs for 1.4.0 releaseJOWS-20Resolved issue: JOWS-20ChadC
- Memory leak in ReplayCache?JOWS-19Resolved issue: JOWS-19ChadC
- Can we get the Relying Party's certificate data in the logJOWS-21Resolved issue: JOWS-21ChadC
- ISO 8601 date/time parser problemJOWS-18Resolved issue: JOWS-18ChadC
- PropertyReplacementResourceFilter - avoid ClassCast exception due to empty properties fileJOWS-17Resolved issue: JOWS-17ChadC
- Update libs for 1.3.0 releaseJOWS-16Resolved issue: JOWS-16ChadC
- AbstractDateTimeType does not handle all datetime formatsJOWS-15Resolved issue: JOWS-15Brent Putman
- Cleanup StorageService related classesJOWS-14Resolved issue: JOWS-14ChadC
- HttpResource is incorrectly handling HTTP Last-Modified header in getLastModifiedTime()JOWS-13Resolved issue: JOWS-13Brent Putman
- Add version information in library JAR manifest and provide command line tool to view itJOWS-12Resolved issue: JOWS-12ChadC
- ExpiringObjectStorageServiceSweeper does not continuously executesJOWS-11Resolved issue: JOWS-11ChadC
- Add constructor to filesystem-related resource providers that take a URL to the file.JOWS-10Resolved issue: JOWS-10ChadC
- SOAP Fault elements faultcode, faultstring, faultactor and detail shouldn't be prefixed.JOWS-9Resolved issue: JOWS-9ChadC
- Allow a filter to be attached to a ResourceJOWS-8Resolved issue: JOWS-8ChadC
- Clustered Storage ServiceJOWS-7Resolved issue: JOWS-7ChadC
- Implement SOAP clientJOWS-6Resolved issue: JOWS-6ChadC
- Remove all usage of Javolution classesJOWS-2Resolved issue: JOWS-2ChadC
- Security policy rule implementationsJOWS-1Resolved issue: JOWS-1Brent Putman
TLSProtocolSocketFactory should not verify hostname from SSLSession getPeerHost()
Description
Environment
is related to
Activity
Takeshi Nishimura November 12, 2015 at 10:34 AM
I didn't imagine that the source code of Oracle JDK and that of OpenJDK are not in sync, but non-security bug fixes seem to have time gap between them. Maybe I should find the precise policy about that and which source repository RedHat make packages from.
For more details about patching in OpenJDK, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1251935
It seems to be fixed in next January.
OpenJDK 7 and 8 introduced a bug
OpenJDK 6 is also affected, indeed.
emma.sajic@clicktools.com November 9, 2015 at 5:35 PM
That's extremely helpful Brent, thank you very much. Cheers.
Brent Putman November 9, 2015 at 5:17 PM
The plan is to do a final bugfix release of v2 OpenSAML and the IdP "around the end of the year". Given holidays and vacations, that will probably mean sometime in the first 2 weeks of January.
But if you're asking about this because of the JDK bug: that has apparently been fixed in the latest versions of Oracle Java released in late October (Offhand I don't know about OpenJDK, but assume the fix either has or soon will make it there as well). We were waiting on that release, and if they had not fixed it, our plan was to put out a bugfix for this. But since it has been fixed, we don't see this as urgent. So it will be rolled into our final end-of-year bugfix release before v2 goes into the status of security fixes only.
emma.sajic@clicktools.com November 9, 2015 at 11:18 AM
When is the next release of openws planned that will include this fix? Thanks.
Brent Putman September 29, 2015 at 12:36 AM
Provisional fix checked in with r481.
This requires adding a new protected method:
which is used instead of the now deprecated
A protected method technically is an API addition, but I don't really want to have to bump to a new minor version. I think we have an "out" in the versioning policy for this case ( a bug, not a feature addition ). But we can discuss.
Newer versions of Oracle and OpenJDK 7 and 8 introduced a bug in that SSLSession#getPeerHost() will return the string representation of the original IP address rather than the hostname.
This makes this an unreliable target to evalute for TLS hostname verification. New hostname verifiers, including HC 4.x, use the originally passed-in hostname to evaluate against the cert, so we should update to just do that and bypass the JDK bug.
Users list thread with details:
http://marc.info/?l=shibboleth-users&m=143756726417879&w=2