Description
The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Mitigation
>>>IdP users: Upgrade to IdP 2.4.1 or greater, which globally configures an appropriate hostname verifier for use with HttpClient. If this is not feasible, and the only use of these resource types is with a ResourceBackedMetadataProvider, then consider replacing the latter with either a HTTPMetadataProvider or FileBackedHTTPMetadataProvider.
>>>OpenSAML users: Upgrade to OpenSAML Java 2.6.2 or greater, which globally configures an appropriate hostname verifier for use with HttpClient. If this is not feasible, it is also possible to replicate in your own code the registration of the appropriate hostname-verifying socket factory added in 2.6.2. See the HttpClient 3.x web site, or contact the Shibboleth developer list for details.
>>>Note that in IdP v2.4.0 and above, use of the HTTP metadata provider configuration option 'disregardSslCertificate' will globally disable HttpClient hostname verification as well as TLS certificate trust evaluation. This would include the HttpResource hostname verification being added in the 2.4.1 release. This is a limitation caused by API issues with HttpClient 3.x, and will be addressed in the 3.x version of the Identity Provider. See the following related security advisory: http://shibboleth.net/community/advisories/secadv_20130417.txt
Reference: [https://shibboleth.net/community/advisories/secadv_20140813.txt](https://shibboleth.net/community/advisories/secadv_20140813.txt)
