4.3.5 Ensure 'hostNameVerificationEnabled' is set to 'true' in OIDC Relying Party (RP)

Information

Hostname verification is a server identity check that is used to ensure that a client is talking to the correct server. The check is performed on the client side of an SSL communication and involves looking at the server's certificate Subject Alternative Name (or the SubjectDN) to see if it matches the host part of the URL that was used to make the outbound request.

Hostname verification verifies the request is talking to the correct server and has not been redirected to an unknown server thus mitigating man-in-the-middle security vulnerability attacks.

Solution

Add the hostNameVerificationEnabled attribute to the openidConnectClient element to ${server.config.dir}/configDropins/overrides/*.xml and set it to true to do hostname verification for JSON Web Tokens.

<openidConnectClient hostNameVerificationEnabled="true" />

See Also

https://workbench.cisecurity.org/benchmarks/7724

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23

Plugin: Unix

Control ID: 8c830de23b839f8cbed93607617f294aa53c8d051ebf4b2dbe9ca29dcc6aa8a5