The Paho Java client does not perform peer verification on
the connected socket. This allows peer spoofing / MITM
attacks.
Proposed Solution #1
Like HttpsURLConnection, the IMQTTClient interface could
get something like the following:
void setHostnameVerifier(HostnameVerifier hv);
where Java5 built-in HostNameVerifier interface is either
reused as-is or inspires a Paho equivalent.
Proposed Solution #2
Instead of SSLNetworkModule / TCPNetworkModule creating a
disconnected socket via
SocketFactory.createSocket(), use
SocketFactory.createSocket(String hostname, int port)
A custom SSLFactory implementation could look like:
class MySSLSocketFactory {
SSLSocketFactory delegate;
SSLSocket createSocket(String hostname, int port)
throws IOException {
SSLSocket s = delegate.createSocket(hostname,
port);
s.startHandshake();
verifyHostName(s, host);
}
void verifyHostName(Socket s, String host) {
// Throw exception if fail verification
}
}
In any case, I think the Paho client should not create a
disconnected socket; this allows the SSLSocketFactory to apply
alternative settings and policies on the created socket.
Note: Java 7 has X509ExtendedTrustManager which is a
connection-sensitive trust manager. This may also be leveraged
in the future, but is relatively new.