【发布时间】:2020-02-21 00:21:02
【问题描述】:
我们使用 WhiteHat Source 扫描器来扫描我们的源代码。该工具通过 2 种方法找出“不正确的证书验证”(CWE-295) 安全问题。这是一个真正的安全问题吗?如果是,我们如何在 Java 8 中修复它,我们是否有解决此类问题的解决方案?非常感谢。
- public void checkClientTrusted(X509Certificate[] certs, String authType) --> 安全漏洞
- public void checkServerTrusted(X509Certificate[] certs, String authType) --> 安全漏洞
// http://www.nakov.com/blog/2009/07/16/disable-certificate-validation-in-java-ssl-connections/
public class JavaCertificationUtils {
private static final SanitizedLogger LOG = new SanitizedLogger(JavaCertificationUtils.class);
public static void javaTrustAllCerts() {
try {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
}
}};
// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
} catch (Exception e) {
LOG.error("Java Certificate All Certs Exception.", e);
}
}
}
【问题讨论】:
标签: security