The client connects to server without validating server certificate

[harrydevnull]

Backdrop : we have been using the amqp-rabbit connectionfactory. we use self signed certificate on server. we don't do the client-server authentication using TLS.

If the truststore and keystore is null and Usessl flag is set to true; the client accepts connections from any server.
below code gets invoked in the above scenario

  useSslProtocol(protocol, new NullTrustManager());

and in NullTrustManager as the doc suggest we do nothing.

/* Doesn't even bother looking at its arguments, simply returns,
/* which makes the check succeed.
*/

this is a grave security flaw (I feel) . This opens up possibility of man-in-middle attack.
If truststore is null we should delegate to Java's default implementation; under $JAVA_HOME/jre/lib/security/caccerts

I had updated code in my fork to reflect whatever I said.
do you agree or is there something else which i may have overlooked?

[michaelklishin]

This is why you can provide your own TrustManager (which is demonstrated in the docs).

[michaelklishin]

Unfortunately this is one of the best examples of how security can be at odds with usability. Delegating to the default settings of certificates will be confusing to many because most users have little understanding of how TLS works and virtually no one knows there is a directory for trusted CA certificates under JDK home.

We can add a new trust manager implementation that uses it. Otherwise there's already a way to use any trust manager you please, and it is easy to notice in the API. The docs guide does demonstrate all that.

It is guaranteed that forcing a non-null trust manager will significantly increase the number of TLS-related questions. In the end those who do not understand how things work will find a way to disable peer authentication and that will be that. It happened before in many communities.

Bunny emits a warning when peer authentication is disabled. This client could do the same now that it has proper logging.

[harrydevnull]

All the more reason to get the defaults correct.
I know this issue has been closed nevertheless; we should never have had the NullTrustManager in the source tree.

please find the recent article with android security vulnerability.
http://www.appcelerator.com/blog/2016/02/google-security-alert-unsafe-implementation-of-the-interface-x509trustmanager/

[michaelklishin]

@harrydevnull thank you for your time on #227 but you keep ignoring our feedback both here and on rabbitmq-users.

[michaelklishin]

Look, we understand what the value of TLS verification. No need to school us. Please hear us out: this is a breaking change that can only go into 5.0, that removes a valid feature (every single HTTP client out there provides a way to disable peer verification, whether you like it or not, for instance), and frames the problem as if disabling TLS verification is an absolute sin and there can never be a valid scenario for it. Yes, there can be. Yes, there is a real usability cost. I suggested a solution where a warning is emitted when the null trust manager is used, just like in Bunny: that and introduction of a "default JDK certificate store" trust manager are acceptable changes for the time being.

…

On Thu, Dec 15, 2016 at 6:33 AM, harrydevnull ***@***.***> wrote: All the more reason to get the defaults correct. I know this issue has been closed nevertheless; we should never have had the NullTrustManager in the source tree. please find the recent article with android security vulnerability. http://www.appcelerator.com/blog/2016/02/google-security- alert-unsafe-implementation-of-the-interface-x509trustmanager/ — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#226 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAEQtRGubU67Nt-eXEo9XL7iSQ9oQ3Qks5rILUSgaJpZM4LLR30> .

-- MK Staff Software Engineer, Pivotal/RabbitMQ

[michaelklishin]

I'm filing two specific changes we are willing to accept and locking this one: you believe that your solution is the only appropriate one. I don't. Let's save ourselves some time.