[Bug 1879533] Re: busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and doesn't warn either about it
Launchpad Bug Tracker
1879533 at bugs.launchpad.net
Fri May 22 00:30:23 UTC 2020
This bug was fixed in the package busybox - 1:1.30.1-4ubuntu8
---------------
busybox (1:1.30.1-4ubuntu8) groovy; urgency=medium
* Enable TLS verification with OpenSSL. LP: #1879533
busybox (1:1.30.1-4ubuntu7) groovy; urgency=medium
* Enable TLS in initramfs flavour of wget applet, requires openssl. LP:
#1879525
-- Dimitri John Ledkov <xnox at ubuntu.com> Wed, 20 May 2020 14:44:54
+0100
** Changed in: busybox (Ubuntu Groovy)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to busybox in Ubuntu.
https://bugs.launchpad.net/bugs/1879533
Title:
busybox does not verify TLS connections with
CONFIG_FEATURE_WGET_OPENSSL=y and CONFIG_FEATURE_WGET_HTTPS unset, and
doesn't warn either about it
Status in busybox package in Ubuntu:
Fix Released
Status in busybox source package in Focal:
New
Status in busybox source package in Groovy:
Fix Released
Bug description:
[Impact]
* CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox
applet using openssl
* CONFIG_FEATURE_WGET_HTTPS=y enables https support in wget busybox
applet using internal TLS code
* CVE-2018-1000500 ensured that when CONFIG_FEATURE_WGET_HTTPS=y is
used, a message is printed to notify the users that TLS verification
is not perfomed.
* However, when one configures with CONFIG_FEATURE_WGET_OPENSSL=y and
CONFIG_FEATURE_WGET_HTTPS unset - no such message is printed.
* Also TLS verification is not performed under OPENSSL case.
* When performing https requests, it works openssl s_client and communicates with it to perform https download
* Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored
* There is no warning that TLS verification was not performed
[Test Case]
* Preparation: sudo apt install busybox; or build busybox with
CONFIG_FEATURE_WGET_OPENSSL=y
* Test case: /bin/busybox wget https://untrusted-root.badssl.com/
* Expected: download failed, or download suceeds with warning printed
that verification is disabled
* Observed: download success without a warning that verification is
disabled.
$ /bin/busybox wget https://untrusted-root.badssl.com/
Connecting to untrusted-root.badssl.com (104.154.89.105:443)
index.html 100% |*************************************************************************************| 600 0:00:00 ETA
$ cat index.html | grep certificate
The certificate for this site is signed using an untrusted root.
[Regression Potential]
* The fact that /bin/busybox wget https:// succeeds without TLS
verification might be relied upon. If this issue is fixed, ensure that
`--no-check-certificate` is honored.
[Other Info]
* Proposed fix
pass `-verify_return_error` to s_client, unless `--no-check-
certificate` is specified
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/busybox/+bug/1879533/+subscriptions
More information about the foundations-bugs
mailing list