[Bug 1376592] Re: X509 certificate verification problem

Launchpad Bug Tracker 1376592 at bugs.launchpad.net
Wed Dec 31 04:17:46 UTC 2014 

[Expired for freetds (Ubuntu) because there has been no activity for 60
days.]

** Changed in: freetds (Ubuntu)
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to freetds in Ubuntu.
https://bugs.launchpad.net/bugs/1376592

Title:
  X509 certificate verification problem

Status in freetds package in Ubuntu:
  Expired

Bug description:
  Recently, we are trying to find SSL security problems by static anaylsis.
  For example, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism.

  During the experiment, we find that freetds-bin didn't check whether the hostname matches the name in the SSL certificate and the expired date of the certificate.The following is details:
  1. 
  file: /freetds-0.91/src/tds/net.c
  problem: Hostname verification missing

  2. 
  file: /freetds-0.91/src/tds/net.c
  problem: Hostname verification missing

  To verify the result, we attack the software manually:

  一.Hostname verification:
  1. configure the file freetds.conf :
         # A typical Microsoft server
  [sqlserver2000]
          host = hackbyfun.sqlserver.com
          port = 1433
          tds version = 8.0
          encrpytion = require
  2.wirte the file /etc/hosts in order to simulate DNS hijack:
    10.214.146.123     hackbyfun.sqlserver.com
   (PS: 10.214.146.123 is a normal sql server ip, its domain name is safe.sqlserver.com )

  3.connect with freetds-bin
  tsql -S sqlserver2000 -U sa -P <your password>

  4.result:connect succeed!!

  The fetch succeeded, indicating freetds-bin didn't check the hostname
  against the signee of the certificate.

  二. Also for expired time check,
  1. change the system time to 2200 to guarantee the certificate to be expired.
  2. the same as the above process. Run freetds-bin to connect a normal sql server
  3. result :connect succeed!!

  The fetch succeeded again and no warning was given, indicating
  freetds-bin didn't check whether the certificate expired or not.

  (PS: I have saved the wireshark packages, and upload these files)

  I am running freetds-bin 9.1-5 in ubuntu 14.04 LTS.

  for more information about the importance of checking hostname:
  see http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freetds/+bug/1376592/+subscriptions

More information about the foundations-bugs mailing list