Check server identity by default
Closed this issue · 1 comments
oliverlietz commented
Server Identity Check should be enabled by default to prevent MITM attacks.
See also discussion in jakartaee/mail-api#429 and SSLNOTES:
-- Server Identity Check
RFC 2595 specifies addition checks that must be performed on the
server's certificate to ensure that the server you connected to is
the server you intended to connect to. This reduces the risk of
"man in the middle" attacks. For compatibility with earlier releases
of Jakarta Mail, these additional checks are disabled by default. We
strongly recommend that you enable these checks when using SSL. To
enable these checks, set the "mail..ssl.checkserveridentity"
property to "true".
oliverlietz commented
Implemented in #14