2020-06-30 14:41:58 +02:00
|
|
|
To establish a SSL/TLS connection not vulnerable to man-in-the-middle attacks, it's essential to make sure the server presents the right certificate.
|
2021-02-02 15:02:10 +01:00
|
|
|
|
2020-06-30 14:41:58 +02:00
|
|
|
The certificate's hostname-specific data should match the server hostname.
|
|
|
|
|
|
2021-02-02 15:02:10 +01:00
|
|
|
|
2020-06-30 14:41:58 +02:00
|
|
|
It's not recommended to re-invent the wheel by implementing custom hostname verification.
|
2021-02-02 15:02:10 +01:00
|
|
|
|
2020-06-30 14:41:58 +02:00
|
|
|
TLS/SSL libraries provide built-in hostname verification functions that should be used.
|
|
|
|
|
|
2021-02-02 15:02:10 +01:00
|
|
|
|
2020-06-30 14:41:58 +02:00
|
|
|
This rule raises an issue when:
|
2021-01-06 17:38:34 +01:00
|
|
|
|
|
|
|
|
* HostnameVerifier.verify() method always return true
|
2020-06-30 14:41:58 +02:00
|
|
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
val hostnameVerifier = HostnameVerifier { _, session ->
|
|
|
|
|
true // Noncompliant
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
val url = URL("https://example.org/")
|
|
|
|
|
val urlConnection = url.openConnection() as HttpsURLConnection
|
|
|
|
|
urlConnection.hostnameVerifier = hostnameVerifier
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
val hostnameVerifier = HostnameVerifier { _, session ->
|
|
|
|
|
HttpsURLConnection.getDefaultHostnameVerifier().run {
|
|
|
|
|
verify("example.com", session)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
val url = URL("https://example.org/")
|
|
|
|
|
val urlConnection = url.openConnection() as HttpsURLConnection
|
|
|
|
|
urlConnection.hostnameVerifier = hostnameVerifier
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
