no SSL certificate verify
Shopping Ruan
rlq1969612634 at gmail.com
Fri Mar 31 08:28:43 UTC 2017
Hi developers:
Nowadays we made a large scale security static analysis on several open
source projects, and found some mistakes in uhub_0.4.1. In the @src/network/
openssl.c:245:
ssize_t net_con_ssl_handshake(struct net_connection* con, enum
net_con_ssl_mode ssl_mode, struct ssl_context_handle* ssl_ctx)
{
[...]
else
{
handle->ssl = SSL_new(SSL_CTX_new(TLSv1_method()));
SSL_set_fd(handle->ssl, con->sd);
handle->bio = SSL_get_rbio(handle->ssl);
con->ssl = (struct ssl_handle*) handle;
return net_con_ssl_connect(con);
}
You do SSL_connect(ssl) in net_con_ssl_connect(con) and when finish this
step, you immedicately start to execute read/write operation without verify
certificate,which can lead to MITM attack and cause leakage of sensitive
data.We recommand you add verify operation such as SSL_CTX_set_verify or
SSL_get_peer_certificate to guarantee the security. We
have send the bug report to Ubuntu launchpad,and also inform you of such
news.Here are the link:
https://bugs.launchpad.net/ubuntu/+source/uhub/+bug/1677495
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20170331/1a25865d/attachment.html>
More information about the Ubuntu-devel-discuss
mailing list