Insecure SMTP SSL Configuration
Description
Server identity verification is disabled when making SSL connections, which can lead to man-in-the-middle attacks.
Examples
Insecure Code
scala
val email = new SimpleEmail(); email.setSSLOnConnect(true);Secure Code
scala
val email = new SimpleEmail(); email.setSSLOnConnect(true); email.setSSLCheckServerIdentity(true);Remediation
Enable server identity verification by calling setSSLCheckServerIdentity(true) on the email object after setting SSLOnConnect to true.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0065 |
| Category | InsecureConfig |
| Severity | HIGH |
| CWE | CWE-297 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | SMTP, SSL, TLS |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |