| Summary: | gcc-java: does not verify SSL certificates by default | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | aph, jakub, jrusnack, rcvalle | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-11-22 17:26:34 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 734551 | ||||||
| Attachments: |
|
||||||
|
Description
Vincent Danen
2011-05-18 15:26:25 UTC
Created attachment 499629 [details]
java program to demonstrate the flaw
This can be used to test the flaw:
$ javac -target 1.5 ssltest.java
$ gij ssltest example.com
$ java ssltest example.com
Testing results. With java-1.5.0-ibm: % java ssltest cerberus.annvix.ca Exception in thread "main" javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target at com.ibm.jsse2.n.a(n.java:8) at com.ibm.jsse2.pc.a(pc.java:210) at com.ibm.jsse2.eb.a(eb.java:478) at com.ibm.jsse2.eb.a(eb.java:536) at com.ibm.jsse2.fb.a(fb.java:162) at com.ibm.jsse2.fb.a(fb.java:290) at com.ibm.jsse2.eb.m(eb.java:17) at com.ibm.jsse2.eb.a(eb.java:295) at com.ibm.jsse2.pc.a(pc.java:214) at com.ibm.jsse2.pc.g(pc.java:376) at com.ibm.jsse2.pc.a(pc.java:573) at com.ibm.jsse2.pc.startHandshake(pc.java:37) at ssltest.main(ssltest.java:10) Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target at com.ibm.jsse2.util.f.b(f.java:93) at com.ibm.jsse2.util.f.b(f.java:85) at com.ibm.jsse2.util.e.a(e.java:9) at com.ibm.jsse2.ec.checkServerTrusted(ec.java:3) at com.ibm.jsse2.nb.checkServerTrusted(nb.java:16) at com.ibm.jsse2.fb.a(fb.java:298) ... 8 more Caused by: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:379) at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:195) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:215) at com.ibm.jsse2.util.f.b(f.java:68) ... 13 more With java-1.6.0-openjdk: % java ssltest cerberus.annvix.ca Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1665) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:258) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:252) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610) at sun.security.ssl.Handshaker.process_record(Handshaker.java:546) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:913) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1158) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1185) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1169) at ssltest.main(ssltest.java:10) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:302) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:205) at sun.security.validator.Validator.validate(Validator.java:235) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144) ... 8 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:191) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:297) ... 14 more With java-1.5.0-gcj: % gij ssltest cerberus.annvix.ca % openssl s_client -connect cerberus.annvix.ca:443 CONNECTED(00000003) depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = cerberus, emailAddress = root@cerberus verify error:num=18:self signed certificate As you can see, gij returns nothing (the server has a self-signed certificate). We can not guarantee that every tool in the system that use SSL have such expected behavior. Nevertheless, gij returns a verify error indicating this is a self signed certificate. Statement: The Red Hat Security Response Team has rated this issue as having moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. |