Vulnerability: JsonRpcHttpAsyncClient disables SSL certificate cheking by default

[GoogleCodeExporter]

The code of JsonRpcHttpAsyncClient.java clearly shows that by default a "Null 
TrustManager" is used which does not check the SSL server certificate at all 
(no authentication). 

See 
http://code.google.com/p/jsonrpc4j/source/browse/trunk/jsonrpc4j/src/main/java/c
om/googlecode/jsonrpc4j/JsonRpcHttpAsyncClient.java

Placing such code in a productive library is a severe security vulnerability as 
noone expects this. 

Effectively this disables the Man-in-the-Middle protection of the SSL 
connection.

Even if such code is used in test code a warning have to be logged to inform 
the user about this behavior.

Conclusion: The X509TrustManager implementation inside JsonRpcHttpAsyncClient 
have to be removed immediately from the code.
If an SSLContext is needed and it is not provided use the one provided by 
SSLContext.getDefault() instead.

Original issue reported on code.google.com by jan.stot...@googlemail.com on 27 Feb 2013 at 9:15

[GoogleCodeExporter]

I'll address this in the next release - not sure how i missed that.

Original comment by brian.di...@gmail.com on 12 Mar 2013 at 2:05

• Changed state: Accepted

[GoogleCodeExporter]

Fixed, will be included in next release

Original comment by brian.di...@gmail.com on 24 Mar 2013 at 8:06

• Changed state: Fixed