Skip to content

Default to enabling SSL check server identity#178

Merged
ennru merged 4 commits into
playframework:masterfrom
jroper:default-ssl-checkserveridentity
May 19, 2020
Merged

Default to enabling SSL check server identity#178
ennru merged 4 commits into
playframework:masterfrom
jroper:default-ssl-checkserveridentity

Conversation

@jroper

@jroper jroper commented May 18, 2020

Copy link
Copy Markdown
Member

I've tested this locally to ensure that SSL connections fail when the certificate presented doesn't match the hostname used, and to ensure that they succeed when it does. Also I tested and verified by manual code inspection of the Java mail library that enabling this when SSL is not in use won't impact anything adversely.

@jroper jroper force-pushed the default-ssl-checkserveridentity branch from a75aa81 to 24c5b89 Compare May 18, 2020 05:37
// Results in "mail.smtp.localhost=127.0.0.1" and "mail.smtps.localhost=127.0.0.1" in the JavaMail session.

// If using SSL, we want to default to verifying that we trust the SSL certificate provided by the server.
ssl.checkserveridentity = true

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

"validate the configuration" in new WithApplication(applicationWithMoreMailerConfiguration) {
app.injector.instanceOf(bind[SMTPConfiguration]) must ===(SMTPConfiguration("typesafe.org", 25, user = Some("typesafe"), password = Some("typesafe")))
app.injector.instanceOf(bind[SMTPConfiguration]) must ===(SMTPConfiguration("typesafe.org", 25,
user = Some("typesafe"), password = Some("typesafe"), props = ConfigFactory.parseString("ssl.checkserveridentity=true")))

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So when constructing the SMTPConfiguration from code rather than from configuration the default is still off. That might still be a risk.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably the best we can do is add a log WARN when that happens.

case class SMTPConfiguration(host: String,
                             port: Int,
                             ssl: Boolean = false,
                             tls: Boolean = false,
                             tlsRequired: Boolean = false,
                             user: Option[String] = None,
                             password: Option[String] = None,
                             debugMode: Boolean = false,
                             timeout: Option[Int] = None,
                             connectionTimeout: Option[Int] = None,
                             props: Config = ConfigFactory.empty(),
                             mock: Boolean = false) {
  private val logger: Logger =
    LoggerFactory.getLogger(classOf[SMTPConfiguration])

  if ((ssl || tls) && !props.getBoolean(
        "ssl.checkserveridentity"
      ))
    logger.warn(
      "You are using ssl/tls but no hostname verification. Enable hostname verification using play.mailer.props.ssl.checkserveridentity = true"
    )
}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine as is, no one loads one of this from code, if you're going to all that effort, I don't know why you'd even use this library, it doesn't do much.

@ennru ennru force-pushed the default-ssl-checkserveridentity branch from 24c5b89 to 0135382 Compare May 18, 2020 15:05
@ennru

ennru commented May 18, 2020

Copy link
Copy Markdown
Contributor

Something touches a file so that my variant of using dynver to get align versions doesn't work https://travis-ci.com/github/playframework/play-mailer/jobs/336132876#L517
I don't see what is touched (and why), yet.

@ignasi35

Copy link
Copy Markdown
Member

Needs backport to 7.0.x

@ignasi35

Copy link
Copy Markdown
Member

Users affected by the CVE can just add the setting and restart the service.

@ennru ennru left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@ennru ennru merged commit 3c12bca into playframework:master May 19, 2020
@jroper jroper deleted the default-ssl-checkserveridentity branch May 19, 2020 07:35
ennru pushed a commit to ennru/play-mailer that referenced this pull request May 19, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants