Hide Forgot
A SUSE bug report [1] noted that gcj did not throw an exception when it encountered an invalid SSL certificate on an HTTPS server. Unlike other interpreters (openjdk or IBM's java), gcj is silent when it encounters an invalid SSL certificate, which could be used to trick a user into thinking they are connecting to a valid site using HTTPS when in fact they are not, which could be used in a man-in-the-middle attack, etc. [1] https://bugzilla.novell.com/show_bug.cgi?id=596905
Created attachment 499629 [details] java program to demonstrate the flaw This can be used to test the flaw: $ javac -target 1.5 ssltest.java $ gij ssltest example.com $ java ssltest example.com
Testing results. With java-1.5.0-ibm: % java ssltest cerberus.annvix.ca Exception in thread "main" javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target at com.ibm.jsse2.n.a(n.java:8) at com.ibm.jsse2.pc.a(pc.java:210) at com.ibm.jsse2.eb.a(eb.java:478) at com.ibm.jsse2.eb.a(eb.java:536) at com.ibm.jsse2.fb.a(fb.java:162) at com.ibm.jsse2.fb.a(fb.java:290) at com.ibm.jsse2.eb.m(eb.java:17) at com.ibm.jsse2.eb.a(eb.java:295) at com.ibm.jsse2.pc.a(pc.java:214) at com.ibm.jsse2.pc.g(pc.java:376) at com.ibm.jsse2.pc.a(pc.java:573) at com.ibm.jsse2.pc.startHandshake(pc.java:37) at ssltest.main(ssltest.java:10) Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target at com.ibm.jsse2.util.f.b(f.java:93) at com.ibm.jsse2.util.f.b(f.java:85) at com.ibm.jsse2.util.e.a(e.java:9) at com.ibm.jsse2.ec.checkServerTrusted(ec.java:3) at com.ibm.jsse2.nb.checkServerTrusted(nb.java:16) at com.ibm.jsse2.fb.a(fb.java:298) ... 8 more Caused by: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:379) at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:195) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:215) at com.ibm.jsse2.util.f.b(f.java:68) ... 13 more With java-1.6.0-openjdk: % java ssltest cerberus.annvix.ca Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1665) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:258) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:252) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610) at sun.security.ssl.Handshaker.process_record(Handshaker.java:546) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:913) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1158) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1185) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1169) at ssltest.main(ssltest.java:10) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:302) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:205) at sun.security.validator.Validator.validate(Validator.java:235) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144) ... 8 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:191) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:297) ... 14 more With java-1.5.0-gcj: % gij ssltest cerberus.annvix.ca % openssl s_client -connect cerberus.annvix.ca:443 CONNECTED(00000003) depth=0 C = --, ST = SomeState, L = SomeCity, O = SomeOrganization, OU = SomeOrganizationalUnit, CN = cerberus, emailAddress = root@cerberus verify error:num=18:self signed certificate As you can see, gij returns nothing (the server has a self-signed certificate).
We can not guarantee that every tool in the system that use SSL have such expected behavior. Nevertheless, gij returns a verify error indicating this is a self signed certificate.
Statement: The Red Hat Security Response Team has rated this issue as having moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.