SONAR-11071 CWE-297 host of SMTP server certificate is not verified

diff --git a/server/sonar-server/src/main/java/org/sonar/server/notification/email/EmailNotificationChannel.java b/server/sonar-server/src/main/java/org/sonar/server/notification/email/EmailNotificationChannel.java
index fe4b126ba37d5af7c6041bac71859fa21d2df57c..bd6d02469232e74805ac87af1b91c85903dcb300 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/notification/email/EmailNotificationChannel.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/notification/email/EmailNotificationChannel.java
@@ -188,6 +188,7 @@ public class EmailNotificationChannel extends NotificationChannel {
   private void configureSecureConnection(SimpleEmail email) {
     if (StringUtils.equalsIgnoreCase(configuration.getSecureConnection(), "ssl")) {
       email.setSSLOnConnect(true);
+      email.setSSLCheckServerIdentity(true);
       email.setSslSmtpPort(String.valueOf(configuration.getSmtpPort()));
 
       // this port is not used except in EmailException message, that's why it's set with the same value than SSL port.
@@ -196,6 +197,7 @@ public class EmailNotificationChannel extends NotificationChannel {
     } else if (StringUtils.equalsIgnoreCase(configuration.getSecureConnection(), "starttls")) {
       email.setStartTLSEnabled(true);
       email.setStartTLSRequired(true);
+      email.setSSLCheckServerIdentity(true);
       email.setSmtpPort(configuration.getSmtpPort());
     } else if (StringUtils.isBlank(configuration.getSecureConnection())) {
       email.setSmtpPort(configuration.getSmtpPort());