openjdk team mailing list archive

Thread
Date

Bug#944666: jconsole does not verify the domain name nor check whether the CA is trusted

To: 944666@xxxxxxxxxxxxxxx
From: Laurent Bigonville <bigon@xxxxxxxxxx>
Date: Wed, 13 Nov 2019 16:36:29 +0100
Autocrypt: addr=bigon@xxxxxxxxxx; keydata= mQINBEt3P9IBEAC883icAuxmVt4deGPxDeiEV2cT4pw4uXibIeZ1XNSrwrWcAgsK/o61nZWT hxIpTFe2c3/B+ijBdEHXqV9lZMsIgiAyExfkwM4DCamEtXoC3Cec9BlGuIJ/Eti8bb/wsvOt SQiQC7X/j51ExB7ag+f/9LINLcNgn1PP4kqAAo+d1zgEXyQLJmqqxaYwuwyJausPUu3UuSUH k6Gujhs3eB5lf5SNPR347JGLyv/L03EbwBgUxte4w0IkXfxxFSj93aOv69+mJNmPUgjNDn+A oYTLT5ddsls4iNzwd4zdqDJtCrNnlG7xXf1mkB+v4j96n00JTMYX2v+vN1TK2kAzo1WnMhhc WZv6f50uskCcdqzuNkSzEHBPoVZRX6FPtSfqbBcqRvyYwNn6Dv8V+k0LWLr6SJukl96a/C7u ZLOnIzie+B3/Oj+YQKJf7TLUJUi0tt6Z/LFZ4Qrwu2vJwprlhyKCsos2+rPs7BQHzg/JEROj j3wXkkILZSuBB+bFIIKJljVwIYM4Feqk0WDhiYbazRY7MWro7ZY8Pp4STjLgaWvJwaUnCrhh T4taVNl7ZxnohbFZhxgtgoK7XHijWbGJnG9Mkg5T4AnI0bQTkZfFR9gReKl2RPHLooHHILBg anj16MvZdebRP7S7JeAy/tpBTJ6chSu6dTevk7jGnxVT51YHHwARAQABtCVMYXVyZW50IEJp Z29udmlsbGUgPGJpZ29uQGRlYmlhbi5vcmc+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYC AwEAAh4BAheABQJUsu1cBQkSz9NMAAoJEMf3+WYNgqaCGOMQAIzBswBywK8pTscmqYcDb6cg aJ8johh/ldRX5zVm0GPzwIAbBTVJxXtTODFbCUL1nDP2NzcbI1w/5m5lN/e3blu29BA+oc6d 2/SM9JlBwmtRpD7DDBfiB40qbVIsDPEPVrM1i7HkBGJJ53hIIDnphdclAWSaJD1b/mJ0fuo1 zxrs3ONxyq2aGyDhX4dT2PH+hoGUTIiQwcYR4yruwpYi+t8w9qb1d50ldWT7BUi+USPRStck Js4cV1cdumBLF29WgAHtHZ23uZ6bJ3Ck/OTk/ntWXPeEBnk2ZvBIHwAeOe5RHVFaR/PnNn26 VyC+RH+Qa1byWJRo4ohd5MUHY0EEIMumT1x3vh6LxGoNaH/nT4KVN4MTMZjAtsKKYrV6UA7y Igcn9yHRoW7p16sYvteO+z68+ox3NSOOKerJawe72xDL8+UXmO4Frxuv7ugplPh2/l4LVVMq 8V6maNz6Q62myMwsScye8zmk8M8R10LtvmT8tUty4ts9Naj9BSt9fRap0nqX/+PJ7KIOzCyZ pOi+shUvRye5PI/yjV+wN8gKQ/k2DMPvlX6PBuWFKxIX5cWloGvAkc0dIbj6ksRPo+Mh9SmA w0dqWtUF2LnMY/xugjvimdkrHJTVuG87gRp/sii/SMrYlF6rCkEEXtse+JEz3vICFuG2BRjN C5491zOTXK/NuQENBEt3QC4BCACpWl7cu9SkZWejaFEHehoZkTN44y5cSOCnptBtOA08tl4m UsWO7j/HmqTgseYAj6p1NO7lK5llcJShb05SWycVlDI/ekVLzE4pIwJ5R5JgxU6FrbT9UXuV 8VAmKXGCtf9SByxRQIqdryJ5fOszrK+Bq/1JDdvNh6F0Ex1S9vjGNIuZGQKEcm8QvJl9EuGk 87kWUlW9brf7eKao9WcJPP+cT2GCE0BFCzOGanBzi4kOSXATO4x1GUBoC0/9ny1ZqFJf9Jab dJDXJy6FzZ9yiUNeMLtqdwCVfXkVfL3BL4h2GgceAE+V1C5deYnA05Uil0IV/QO8zJmIhgYu KjRT08JXABEBAAGJA1sEGAEIACYCGwIWIQR+DtPSs0oDsV+fMSHH9/lmDYKmggUCXJ3U+QUJ EwprSwEpwF0gBBkBCAAGBQJLd0AuAAoJEB/FiR66sEPV7AcH/RwgUYPdxetaY0tOwE1hVIYE 6+hiJXQ9r2SENy2JogTiiRWudzFoDbnQq5g12SGgFy2ANlr26X1/zrgjNkHxq+b3WO7l+8Gx YtSn9nyDfqSQu2AEPlLBrERt4Zqk2yMfosRnIaO+0rXytnsAJSz9SfMBjHT+W7PG0p5XTZaE odA5jvpj1OB4jjq1k3SvLc2MVJTFwi3cgYQBfLOT1hutlyyf/g1U/TZbvfVTKaRAKmUu5Vbr wVXWze+gfm9JUu6cG/43D4Xwi64clLbiLs0jlEjg91NiStGOsBdU7gRHx2f7l2dJhTZCT5le cOxo392L1YAZo9FF250uZ3niH799LfUJEMf3+WYNgqaCiesP/jlx0jEBk3O1y4TNaCUok0C+ liC+o2egjwHvaU1nZzQ5ihT4Z1/2ka6fGkhBKy3Jzh/FctPTVHenaTbMRxikcEvwqm8e1RJW cw+WS8TEGn1iiUmPJ9fQOT0lJbzq9JRvG+wfSVyF2BYX0axttMtzKTVJtBExULh80NGtdETZ PS8oAX1DTLMqB2LKh27VNZwY/SmyXgI59bdy4rXH7bp7CYqmgx49zTcnY5JdKnqRlaVKW4K8 g3qrBg+x8TpCngRTbFRWU8ZEH2qbrOdtLwnQHAwRYledLQOSgHcQbfjT3TXzm6dAPASmAbY6 L7M9mzKKYJs+gr97l9HxHBgAPmlZifvbsPGKiw0nVdqjDypwCUABrg1ljEGHjDqRE3sr5oId 3g+h2lB+XMylrhFJcG8M3nNQnJCCmqHJaiK6lj3WwvYVJ8JYNt9duZKPu82L9I/3c3jjPBKL rrPGjVVc+jmkJCug5vqenJeDu9wPLwHszm128u5cSn75DxPsqkRedP0VcnHYBFECVHXyx6r4 H/4SBcpn8uyKb0gmnWMrvEISPYMn49tu7fIeS/cUdlsw0W7Z5wXW+CG1Y/CnwSxiuqbCUKij rwHPQcd82IJijNJTulI8jbd1CIvWc21HEnOjQcnE+jYkyAxeriC3tPlwafhJqvTzi6ql/pXB 3RihKQ02trTJuQENBEt3QD0BCADDNTw/N1A48sO//JssmJpItyHrJnWdGJvDh5Uq5VqolS39 B8aNdQjjCtIwKLX5afMYvCR5eUjEgEGlfwMcHzAPtLpZlXMoiDaCm/CpSxehUTlfyxWq9Fv8 4dNbz1ecLLRsKodmbXj1D5ZBexIQU2lteV2ljCdy8GWQ0Tgh1LWjVmmK4qdYY9/SOUFlrnTO +CG0hJYm8H9GZSWxWfI/SJjUBJVFM5+U70d5rfKlwvtuFAW1rVWFEHY51XsV8NdUE5GaVLMB P1gvSf/F35LPw2ylyOD6yBy5qG9zFopXR3L1dSapzY9EUlfd6vLisF5oBiKcnO+9VzRcJVBm NZ7Rp41NABEBAAGJAjwEGAEIACYCGwwWIQR+DtPSs0oDsV+fMSHH9/lmDYKmggUCXJ3VGQUJ EwprXAAKCRDH9/lmDYKmgidDD/0RWIHe9AMDcAG5vXBH8djXHgYGMXHKsbhRrMKejykKulK2 Os3fz4ikWsOgNXwoMOXP1uVOMoh9db3hCfpBi8WRBAfBbzZEXTWBIfYj41wydQ+nTs96RWOJ wTPV741Mtv6farz7Uyl6NGn0TIrYvAuFAPGbl2eVAGuCM+gosjvThW4+iy8cIwYxPzjz68W9 FbzSiBH6DDaOtqGJTzbpc5CYfqGHTOPbvzQ2uBHhQhwJWMdq1/0KkC9s3mE46ZiTyuEsTqmt XNCdV81/7fJxaEr+F4EZHuEPN/bvoPHyNx/IUuoIhxMQ0RnpLnjpopjogzy+KEugqLevc6XP 5YSmVHoZlBtOa0X4m5ypLkJBGEVkGPV0QNhfmZDc0LgVlfULKqjFvhvO6R0Kt6AyoT/QeJ+V kXzW0uphVvXWKDvMmQGytMYgIzpcNOo0nDgzfgP7wduJlm5Kwqd0LIgJ27ejgblwJsqBEJ07 RFViATm5VMioXA8CjUf4t8DIGGIAq6dEbkQ7/LGI1re6C6mrugrWbZxvy0SAyWPYhSn6uMll VdO90/1mLOUVme97oVnmoNgcrk44FkJeV/8kF6YQrlssk96KPjONpHyNPhERilAO2Y1yBC98 pxDzQ7s5MrW77TSH81HT4+Jqqh/2LMRL2zeD7swT8llQw5u2AJ5XX+Eanpbk2g==
In-reply-to: <157365691828.28282.8900284030596082944.reportbug@edoras.bigon.be>
Reply-to: Laurent Bigonville <bigon@xxxxxxxxxx>, 944666@xxxxxxxxxxxxxxx
Resent-cc: OpenJDK Team <openjdk@xxxxxxxxxxxxxxxxxxx>
Resent-date: Wed, 13 Nov 2019 15:39:06 +0000
Resent-from: Laurent Bigonville <bigon@xxxxxxxxxx>
Resent-message-id: <handler.944666.B944666.157365939218488@xxxxxxxxxxxxxxx>
Resent-to: debian-bugs-dist@xxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2

On Wed, 13 Nov 2019 15:55:18 +0100 Laurent Bigonville <bigon@xxxxxxxxxx>wrote:

> Hi,
>

> Except if I'm severly mistaken, it seems that jconsole does notverify the

> domain name nor check whether the CA is trusted when connecting to a JVM
> that has SSL enabled for JMX.
>
> This can lead to MITM and stealing of the credentials used to connect to
> JMX.

Little correction here.

jconsole does verify that the CA is trusted. My confusion comes from#767272 and the fact that ca-certificates-java is not cleaning theremoved certificates from the java trusted store.

But I can confirm that jconsole is not checking the CN/AltNames of thecertificate (if I'm using the IP instead of the DNS name the connectionis still happening without warnings)

References

Bug#944666: jconsole does not verify the domain name nor check whether the CA is trusted
From: Laurent Bigonville, 2019-11-13