43 of 43

TLSProtocolSocketFactory should not verify hostname from SSLSession getPeerHost()

Fixed

Description

Newer versions of Oracle and OpenJDK 7 and 8 introduced a bug in that SSLSession#getPeerHost() will return the string representation of the original IP address rather than the hostname.

This makes this an unreliable target to evalute for TLS hostname verification. New hostname verifiers, including HC 4.x, use the originally passed-in hostname to evaluate against the cert, so we should update to just do that and bypass the JDK bug.

Users list thread with details:
http://marc.info/?l=shibboleth-users&m=143756726417879&w=2

Environment

None

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created September 29, 2015 at 12:28 AM
Updated January 9, 2016 at 1:28 AM
Resolved January 9, 2016 at 12:22 AM

Activity

Takeshi Nishimura 
November 12, 2015 at 10:34 AM

I didn't imagine that the source code of Oracle JDK and that of OpenJDK are not in sync, but non-security bug fixes seem to have time gap between them. Maybe I should find the precise policy about that and which source repository RedHat make packages from.

For more details about patching in OpenJDK, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1251935
It seems to be fixed in next January.

OpenJDK 7 and 8 introduced a bug

OpenJDK 6 is also affected, indeed.

emma.sajic@clicktools.com 
November 9, 2015 at 5:35 PM

That's extremely helpful Brent, thank you very much. Cheers.

Brent Putman 
November 9, 2015 at 5:17 PM

The plan is to do a final bugfix release of v2 OpenSAML and the IdP "around the end of the year". Given holidays and vacations, that will probably mean sometime in the first 2 weeks of January.

But if you're asking about this because of the JDK bug: that has apparently been fixed in the latest versions of Oracle Java released in late October (Offhand I don't know about OpenJDK, but assume the fix either has or soon will make it there as well). We were waiting on that release, and if they had not fixed it, our plan was to put out a bugfix for this. But since it has been fixed, we don't see this as urgent. So it will be rolled into our final end-of-year bugfix release before v2 goes into the status of security fixes only.

emma.sajic@clicktools.com 
November 9, 2015 at 11:18 AM

When is the next release of openws planned that will include this fix? Thanks.

Brent Putman 
September 29, 2015 at 12:36 AM

Provisional fix checked in with r481.

This requires adding a new protected method:

which is used instead of the now deprecated

A protected method technically is an API addition, but I don't really want to have to bump to a new minor version. I think we have an "out" in the versioning policy for this case ( a bug, not a feature addition ). But we can discuss.