== Why is this an issue?

To prevent URL spoofing, ``++HostnameVerifier.verify()++`` methods should do more than simply ``++return true++``. Doing so may get you quickly past an exception, but that comes at the cost of opening a security hole in your application. 


=== Noncompliant code example

[source,java]
----
SSLContext sslcontext = SSLContext.getInstance( "TLS" );
sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
  public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
  public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
  public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }

}}, new java.security.SecureRandom());

Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
  @Override
  public boolean verify(String requestedHost, SSLSession remoteServerSession) {
    return true;  // Noncompliant
  }
}).build();
----


=== Compliant solution

[source,java]
----
SSLContext sslcontext = SSLContext.getInstance( "TLSv1.2" );
sslcontext.init(null, new TrustManager[]{new X509TrustManager() {
  @Override
  public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
  @Override
  public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {}
  @Override
  public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }

}}, new java.security.SecureRandom());

Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
  @Override
  public boolean verify(String requestedHost, SSLSession remoteServerSession) {
    return requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost()); // Compliant
  }
}).build();
----


== Resources

* OWASP - https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration[Top 10 2017 Category A6 - Security Misconfiguration]
* CWE - https://cwe.mitre.org/data/definitions/295[CWE-295 - Improper Certificate Validation]
* Derived from FindSecBugs rule https://find-sec-bugs.github.io/bugs.htm#WEAK_HOSTNAME_VERIFIER[WEAK_HOSTNAME_VERIFIER]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Do not unconditionally return true in this method.


=== Highlighting

return statement


'''
== Comments And Links
(visible only on this page)

=== on 5 Mar 2018, 15:16:24 Alexandre Gigleux wrote:
There is no SEI CERT ID for this one in \https://wiki.sei.cmu.edu/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java

endif::env-github,rspecator-view[]