Unsafe SSL TrustManager Defined
23 views
Skip to first unread message
mfred...@thunderhead.com
Sep 3, 2020, 1:38:48 PM9/3/20
to Signpost users
The version of Jetty client being used raises a security flag when submitting android apps to the app store. Can the Jetty version be updated to a newer version where this issue is fixed?
The following Java or Kotlin classes defined within the App define [a custom `X509TrustManager`](https://developer.android.com/reference/javax/net/ssl/X509TrustManager.html) that does not validate SSL certificates:
org.mortbay.jetty.client.HttpClient$b
This can be found in the HttpClient class:
protected SSLContext getLooseSSLContext() throws IOException
{
// Create a trust manager that does not validate certificate
// chains
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager()
{
public java.security.cert.X509Certificate[] getAcceptedIssuers()
{
return null;
}
public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType )
{
}
public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType )
{
}
} };
{
// Create a trust manager that does not validate certificate
// chains
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager()
{
public java.security.cert.X509Certificate[] getAcceptedIssuers()
{
return null;
}
public void checkClientTrusted( java.security.cert.X509Certificate[] certs, String authType )
{
}
public void checkServerTrusted( java.security.cert.X509Certificate[] certs, String authType )
{
}
} };
Reply all
Reply to author
Forward
0 new messages