[async-http-client] 07/08: Fixed CVE-2013-7397: SSL/TLS certificate verification is disabled under certain conditions

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Wed Dec 17 18:29:39 UTC 2014 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository async-http-client.

commit 84886f93b3247b1776a0e18025e466c2137873b1
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Wed Dec 17 19:14:01 2014 +0100

    Fixed CVE-2013-7397: SSL/TLS certificate verification is disabled under certain conditions
---
 debian/changelog                      |   2 +
 debian/patches/02-CVE-2013-7397.patch | 148 ++++++++++++++++++++++++++++++++++
 debian/patches/series                 |   1 +
 3 files changed, 151 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 27f7a66..16d6f63 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,8 @@ async-http-client (1.6.5-3) UNRELEASED; urgency=medium
   * Update debian/watch
 
   [ Emmanuel Bourg ]
+  * Fixed CVE-2013-7397: SSL/TLS certificate verification is disabled
+    under certain conditions (Closes: #773364)
   * Fixed a compilation error with Java 8 (Closes: #773372)
   * Standards-Version updated to 3.9.6 (no changes)
   * Removed the unnecessary build dependency on libclirr-maven-plugin-java
diff --git a/debian/patches/02-CVE-2013-7397.patch b/debian/patches/02-CVE-2013-7397.patch
new file mode 100644
index 0000000..cdeed8e
--- /dev/null
+++ b/debian/patches/02-CVE-2013-7397.patch
@@ -0,0 +1,148 @@
+Description: Remove the code disabling the SSL certificate validation
+Author: Emmanuel Bourg <ebourg at apache.org>
+Forwarded: not-needed
+--- a/src/main/java/com/ning/http/util/SslUtils.java
++++ b/src/main/java/com/ning/http/util/SslUtils.java
+@@ -51,11 +51,7 @@
+     public static SSLContext getSSLContext()
+             throws GeneralSecurityException, IOException {
+         SSLConfig config = new SSLConfig();
+-        if (config.keyStoreLocation == null || config.trustStoreLocation == null) {
+-            return getLooseSSLContext();
+-        } else {
+-            return getStrictSSLContext(config);
+-        }
++        return getStrictSSLContext(config);
+     }
+ 
+     static SSLContext getStrictSSLContext(SSLConfig config)
+@@ -95,29 +91,6 @@
+         return context;
+     }
+ 
+-    static SSLContext getLooseSSLContext()
+-            throws GeneralSecurityException {
+-        SSLContext sslContext = SSLContext.getInstance("TLS");
+-        sslContext.init(null, new TrustManager[]{LooseTrustManager.INSTANCE}, new SecureRandom());
+-        return sslContext;
+-    }
+-
+-    static class LooseTrustManager
+-            implements X509TrustManager {
+-
+-        public static final LooseTrustManager INSTANCE = new LooseTrustManager();
+-
+-        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+-            return null;
+-        }
+-
+-        public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
+-        }
+-
+-        public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
+-        }
+-    }
+-
+     private final static class SSLConfig {
+ 
+         public String keyStoreLocation;
+--- a/src/main/java/com/ning/http/client/providers/apache/ApacheAsyncHttpProvider.java
++++ b/src/main/java/com/ning/http/client/providers/apache/ApacheAsyncHttpProvider.java
+@@ -130,24 +130,6 @@
+     private final MultiThreadedHttpConnectionManager connectionManager;
+     private final HttpClientParams params;
+ 
+-    static {
+-        final SocketFactory factory = new TrustingSSLSocketFactory();
+-        Protocol.registerProtocol("https", new Protocol("https", new ProtocolSocketFactory() {
+-            public Socket createSocket(String string, int i, InetAddress inetAddress, int i1) throws IOException {
+-                return factory.createSocket(string, i, inetAddress, i1);
+-            }
+-
+-            public Socket createSocket(String string, int i, InetAddress inetAddress, int i1, HttpConnectionParams httpConnectionParams)
+-                    throws IOException {
+-                return factory.createSocket(string, i, inetAddress, i1);
+-            }
+-
+-            public Socket createSocket(String string, int i) throws IOException {
+-                return factory.createSocket(string, i);
+-            }
+-        }, 443));
+-    }
+-
+     public ApacheAsyncHttpProvider(AsyncHttpClientConfig config) {
+         this.config = config;
+         connectionManager = new MultiThreadedHttpConnectionManager();
+@@ -732,72 +714,6 @@
+         }
+     }
+ 
+-    private static class TrustingSSLSocketFactory extends SSLSocketFactory {
+-        private SSLSocketFactory delegate;
+-
+-        private TrustingSSLSocketFactory() {
+-            try {
+-                SSLContext sslcontext = SSLContext.getInstance("SSL");
+-
+-                sslcontext.init(null, new TrustManager[]{new TrustEveryoneTrustManager()}, new SecureRandom());
+-                delegate = sslcontext.getSocketFactory();
+-            } catch (KeyManagementException e) {
+-                throw new IllegalStateException();
+-            } catch (NoSuchAlgorithmException e) {
+-                throw new IllegalStateException();
+-            }
+-        }
+-
+-        @Override
+-        public Socket createSocket(String s, int i) throws IOException, UnknownHostException {
+-            return delegate.createSocket(s, i);
+-        }
+-
+-        @Override
+-        public Socket createSocket(String s, int i, InetAddress inetAddress, int i1) throws IOException, UnknownHostException {
+-            return delegate.createSocket(s, i, inetAddress, i1);
+-        }
+-
+-        @Override
+-        public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
+-            return delegate.createSocket(inetAddress, i);
+-        }
+-
+-        @Override
+-        public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress1, int i1) throws IOException {
+-            return delegate.createSocket(inetAddress, i, inetAddress1, i1);
+-        }
+-
+-        @Override
+-        public String[] getDefaultCipherSuites() {
+-            return delegate.getDefaultCipherSuites();
+-        }
+-
+-        @Override
+-        public String[] getSupportedCipherSuites() {
+-            return delegate.getSupportedCipherSuites();
+-        }
+-
+-        @Override
+-        public Socket createSocket(Socket socket, String s, int i, boolean b) throws IOException {
+-            return delegate.createSocket(socket, s, i, b);
+-        }
+-    }
+-
+-    private static class TrustEveryoneTrustManager implements X509TrustManager {
+-        public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+-            // do nothing
+-        }
+-
+-        public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+-            // do nothing
+-        }
+-
+-        public X509Certificate[] getAcceptedIssuers() {
+-            return new X509Certificate[0];
+-        }
+-    }
+-
+     private final class ReaperFuture implements Future, Runnable {
+         private Future scheduledFuture;
+         private ApacheResponseFuture<?> apacheResponseFuture;
diff --git a/debian/patches/series b/debian/patches/series
index 3209aba..0a964e7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 01-java8-compatibility.patch
+02-CVE-2013-7397.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/async-http-client.git

More information about the pkg-java-commits mailing list