gpt4 book ai didi

java - 在 HostnameVerifier 中信任 peerHost 是否安全?

转载 作者:行者123 更新时间:2023-12-04 22:43:15 26 4
gpt4 key购买 nike

one of the rules SonarQube 不允许使用假人 HostnameVerifier盲目接受每个主机:

Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String requestedHost, SSLSession remoteServerSession) {
return true; // Noncompliant
}
}).build();
并且此示例作为兼容代码提供:
Client client = ClientBuilder.newBuilder().sslContext(sslcontext).hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String requestedHost, SSLSession remoteServerSession) {
return requestedHost.equalsIgnoreCase(remoteServerSession.getPeerHost()); // Compliant
}
}).build();
但是在 SSLSession.getPeerHost() 的 javadoc 中我可以读到:

This value is not authenticated and should not be relied upon. It is mainly used as a hint for SSLSession caching strategies.


这让我很困惑。如果 getPeerHost()值不能被信任,那么它如何成为修复漏洞的推荐兼容代码?它安全吗?它阻止了哪些攻击,哪些攻击没有阻止?

最佳答案

虽然使用“peerHost”而不是笼统的“返回真实”肯定要好得多,但它仍然不是没有风险。
'peerHost' may be retrieved through reverse DNS .这会导致 CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action 的缺陷。 MITRE 在上面说:

Since DNS names can be easily spoofed or misreported, and it may be difficult for the software to detect if a trusted DNS server has been compromised, DNS names do not constitute a valid authentication mechanism.

When the software performs a reverse DNS resolution for an IP address, if an attacker controls the server for that IP address, then the attacker can cause the server to return an arbitrary hostname. As a result, the attacker may be able to bypass authentication, cause the wrong hostname to be recorded in log files to hide activities, or perform other attacks.

Attackers can spoof DNS names by either (1) compromising a DNS server and modifying its records (sometimes called DNS cache poisoning), or (2) having legitimate control over a DNS server associated with their IP address.


最好的做法是解决为什么给定的主机名与证书中的主机名不匹配的根本问题。
请注意,SonarSource 已更新其示例代码以反射(reflect)这一点: https://rules.sonarsource.com/java/RSPEC-5527

关于java - 在 HostnameVerifier 中信任 peerHost 是否安全?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62593328/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com