no SSL certificate verify

Shopping Ruan rlq1969612634 at
Fri Mar 31 08:28:43 UTC 2017

Hi developers:
   Nowadays we made a large scale security static analysis on several open
source projects, and found some mistakes in uhub_0.4.1. In the @src/network/
  ssize_t net_con_ssl_handshake(struct net_connection* con, enum
 net_con_ssl_mode ssl_mode, struct ssl_context_handle* ssl_ctx)
  handle->ssl = SSL_new(SSL_CTX_new(TLSv1_method()));
  SSL_set_fd(handle->ssl, con->sd);
  handle->bio = SSL_get_rbio(handle->ssl);
  con->ssl = (struct ssl_handle*) handle;
  return net_con_ssl_connect(con);

  You do SSL_connect(ssl) in net_con_ssl_connect(con) and when finish this
step, you immedicately start to execute read/write operation without verify
certificate,which can lead to MITM attack and cause leakage of sensitive
data.We recommand you add verify operation such as SSL_CTX_set_verify or
SSL_get_peer_certificate to guarantee the security.                    We
have send the bug report to Ubuntu launchpad,and also inform you of such
news.Here are the link:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Ubuntu-devel-discuss mailing list