High severityNVD Advisory· Published Dec 8, 2020· Updated Aug 4, 2024

Disabled Hostname Verification in OpenCast

CVE-2020-26234

Description

Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.8 Please be aware that fixing the problem means that Opencast will not simply accept any self-signed certificates any longer without properly importing them. If you need those, please make sure to import them into the Java key store. Better yet, get a valid certificate.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.opencastproject:opencast-kernelMaven	< 7.9	7.9
org.opencastproject:opencast-kernelMaven	>= 8.0, < 8.9	8.9

Affected products

Opencast/Opencastv5
Range: < 7.9

Patches

4225bf90af74

Re-Enable Hostname Verification

https://github.com/opencast/opencastLars KiesowNov 17, 2020via ghsa

commit

1 file changed · +1 −136

modules/kernel/src/main/java/org/opencastproject/kernel/http/impl/HttpClientImpl.java+1 −136 modified

@@ -27,28 +27,12 @@
 import org.apache.http.client.CredentialsProvider;
 import org.apache.http.client.methods.HttpUriRequest;
 import org.apache.http.conn.ClientConnectionManager;
-import org.apache.http.conn.scheme.Scheme;
-import org.apache.http.conn.scheme.SchemeRegistry;
-import org.apache.http.conn.ssl.SSLSocketFactory;
-import org.apache.http.conn.ssl.X509HostnameVerifier;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.http.params.HttpParams;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
-import java.security.KeyManagementException;
-import java.security.NoSuchAlgorithmException;
-import java.security.SecureRandom;
-import java.security.cert.CertificateException;
-import java.security.cert.X509Certificate;
-
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
 
 /** Implementation of HttpClient that makes http requests. */
 public class HttpClientImpl implements HttpClient {
@@ -57,7 +41,7 @@ public class HttpClientImpl implements HttpClient {
   private static final Logger logger = LoggerFactory.getLogger(HttpClientImpl.class);
 
   /** client used for all http requests. */
-  private DefaultHttpClient defaultHttpClient = makeHttpClient();
+  private DefaultHttpClient defaultHttpClient = new DefaultHttpClient();
 
   /** See org.opencastproject.kernel.http.api.HttpClient */
   @Override
@@ -83,123 +67,4 @@ public ClientConnectionManager getConnectionManager() {
     return defaultHttpClient.getConnectionManager();
   }
 
-  /**
-   * Creates a new client that can deal with all kinds of oddities with regards to http/https connections.
-   *
-   * @return the client
-   */
-  private DefaultHttpClient makeHttpClient() {
-
-    DefaultHttpClient defaultHttpClient = new DefaultHttpClient();
-    try {
-      logger.debug("Installing forgiving hostname verifier and trust managers");
-      X509TrustManager trustManager = createTrustManager();
-      X509HostnameVerifier hostNameVerifier = createHostNameVerifier();
-      SSLContext sslContext = SSLContext.getInstance("TLS");
-      sslContext.init(null, new TrustManager[] { trustManager }, new SecureRandom());
-      SSLSocketFactory ssf = new SSLSocketFactory(sslContext, hostNameVerifier);
-      ClientConnectionManager ccm = defaultHttpClient.getConnectionManager();
-      SchemeRegistry sr = ccm.getSchemeRegistry();
-      sr.register(new Scheme("https", 443, ssf));
-    } catch (NoSuchAlgorithmException e) {
-      logger.error("Error creating context to handle TLS connections: {}", e.getMessage());
-    } catch (KeyManagementException e) {
-      logger.error("Error creating context to handle TLS connections: {}", e.getMessage());
-    }
-
-    return defaultHttpClient;
-  }
-
-  /**
-   * Returns a new trust manager which will be in charge of checking the SSL certificates that are being presented by
-   * SSL enabled hosts.
-   *
-   * @return the trust manager
-   */
-  private X509TrustManager createTrustManager() {
-    X509TrustManager trustManager = new X509TrustManager() {
-
-      /**
-       * {@InheritDoc}
-       *
-       * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String)
-       */
-      public void checkClientTrusted(X509Certificate[] xcs, String string) throws CertificateException {
-        logger.trace("Skipping trust check on client certificate {}", string);
-      }
-
-      /**
-       * {@InheritDoc}
-       *
-       * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String)
-       */
-      public void checkServerTrusted(X509Certificate[] xcs, String string) throws CertificateException {
-        logger.trace("Skipping trust check on server certificate {}", string);
-      }
-
-      /**
-       * {@InheritDoc}
-       *
-       * @see javax.net.ssl.X509TrustManager#getAcceptedIssuers()
-       */
-      public X509Certificate[] getAcceptedIssuers() {
-        logger.trace("Returning empty list of accepted issuers");
-        return null;
-      }
-
-    };
-
-    return trustManager;
-  }
-
-  /**
-   * Creates a host name verifier that will make sure the SSL host's name matches the name in the SSL certificate.
-   *
-   * @return the host name verifier
-   */
-  private X509HostnameVerifier createHostNameVerifier() {
-    X509HostnameVerifier verifier = new X509HostnameVerifier() {
-
-      /**
-       * {@InheritDoc}
-       *
-       * @see org.apache.http.conn.ssl.X509HostnameVerifier#verify(java.lang.String, javax.net.ssl.SSLSocket)
-       */
-      public void verify(String host, SSLSocket ssl) throws IOException {
-        logger.trace("Skipping SSL host name check on {}", host);
-      }
-
-      /**
-       * {@InheritDoc}
-       *
-       * @see org.apache.http.conn.ssl.X509HostnameVerifier#verify(java.lang.String, java.security.cert.X509Certificate)
-       */
-      public void verify(String host, X509Certificate xc) throws SSLException {
-        logger.trace("Skipping X509 certificate host name check on {}", host);
-      }
-
-      /**
-       * {@InheritDoc}
-       *
-       * @see org.apache.http.conn.ssl.X509HostnameVerifier#verify(java.lang.String, java.lang.String[],
-       *      java.lang.String[])
-       */
-      public void verify(String host, String[] cns, String[] subjectAlts) throws SSLException {
-        logger.trace("Skipping DNS host name check on {}", host);
-      }
-
-      /**
-       * {@InheritDoc}
-       *
-       * @see javax.net.ssl.HostnameVerifier#verify(java.lang.String, javax.net.ssl.SSLSession)
-       */
-      public boolean verify(String host, SSLSession ssl) {
-        logger.trace("Skipping SSL session host name check on {}", host);
-        return true;
-      }
-    };
-
-    return verifier;
-  }
-
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-44cw-p2hm-gpf6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-26234ghsaADVISORY
github.com/opencast/opencast/commit/4225bf90af74557deaf8fb6b80b0705c9621acfcghsax_refsource_MISCWEB
github.com/opencast/opencast/security/advisories/GHSA-44cw-p2hm-gpf6ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000