diff --git a/handler/src/main/java/io/netty/handler/ssl/util/FingerprintTrustManagerFactory.java b/handler/src/main/java/io/netty/handler/ssl/util/FingerprintTrustManagerFactory.java index c4563a99dd..79e434655a 100644 --- a/handler/src/main/java/io/netty/handler/ssl/util/FingerprintTrustManagerFactory.java +++ b/handler/src/main/java/io/netty/handler/ssl/util/FingerprintTrustManagerFactory.java @@ -39,11 +39,19 @@ import java.util.regex.Pattern; /** * An {@link TrustManagerFactory} that trusts an X.509 certificate whose SHA1 checksum matches. *
- * NOTE: - * Never use this {@link TrustManagerFactory} in production unless you are sure exactly what you are doing with it. - *
+ * NOTE: It is recommended to verify certificates and their chain to prevent + * Man-in-the-middle attacks. + * This {@link TrustManagerFactory} will only verify that the fingerprint of certificates match one + * of the given fingerprints. This procedure is called + * certificate pinning and + * is an effective protection. For maximum security one should verify that the whole certificate chain is as expected. + * It is worth mentioning that certain firewalls, proxies or other appliances found in corporate environments, + * actually perform Man-in-the-middle attacks and thus present a different certificate fingerprint. + *
+ ** The SHA1 checksum of an X.509 certificate is calculated from its DER encoded format. You can get the fingerprint of * an X.509 certificate using the {@code openssl} command. For example: + * *
* $ openssl x509 -fingerprint -sha1 -in my_certificate.crt * SHA1 Fingerprint=4E:85:10:55:BC:7B:12:08:D1:EA:0A:12:C9:72:EE:F3:AA:B2:C7:CB