In case certificate validation is empty, all SSL certificates are considered as valid. This allows the possibility of a man-in-the-middle attack, so that an intruder can get an access to secure data.

Mitigation and prevention

To prevent the issue, “verify” methods of a class, implementing X509HostnameVerifier interface, should perform actual validation and not be empty or consist of a single return statement.

Vulnerable code example

private static X509HostnameVerifier ACCEPT_ALL_HOSTNAMES =  
    new X509HostnameVerifier() {
        public void verify(String host, String[] cns, String[] subjectAlts) throws SSLException {
        }
        public void verify(String host, X509Certificate cert) throws SSLException {
        }
        public void verify(String host, SSLSocket ssl) throws IOException {
        }
        public boolean verify(String host, SSLSession session) { 
        return true;
    }
};