Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
Any valid SSL server certificate can be used to perform a man-in-the-middle attack
Description
The implementation of ServerTrustManger contains a security vulnerability, which could lead to unauthorized certificates being erroneously trusted, because the 'basicConstraints' and 'nameConstraints' of a certificate within a certificate chain are not evaluated.
Environment
None
Activity
Show:
Florian Schmaus February 10, 2014 at 11:36 AM
ServerTrustManager has been removed.
A future version of Smack may reimplement the functionality by using the SSLContext option of ConnectionConfiguration and implementing a configurable TrustManager as SmackModule.
The implementation of ServerTrustManger contains a security vulnerability, which could lead to unauthorized certificates being erroneously trusted, because the 'basicConstraints' and 'nameConstraints' of a certificate within a certificate chain are not evaluated.