[Bug 1380038] [NEW] SSL problems: doesn't check certificate chain and hostname when ssl connecting

[rainkin]

*** This bug is a security vulnerability ***

Public security bug reported:

Recently, we are trying to find SSL security problems by static
analysis. For example, as we all know, Hostname verification is an
important step when verifying X509 certificates, however, people tend to
miss the step or to misunderstand the APIs when using SSL/TLS, which
might cause severe man in the middle attack and break the entire TLS
mechanism. And static analysis is a way of finding whether the APIs are
called correctly.

Now, we find some SSL problems in pacemaker, the following is details:

1.
file :  /pacemaker-1.1.6/lib/common/remote.c 
problem : Certificate chain verification is missing

2.
file : /pacemaker-1.1.6/lib/common/remote.c
problem : Hostname verification is missing

More specifically , we can take hostname check for example, the function
verify_certificate() can only guarantee the validity of the certificate
but cannot guarantee that the host you are trying to connect is the one
you intend to visit, which may lead to man-in-the-middle attack or other
security issues. And other APIs have similar problems.

PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
and more details you can contact with us, my email : rainkin1993 at gmail.com

Thanks.

** Affects: pacemaker (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to pacemaker in Ubuntu.
https://bugs.launchpad.net/bugs/1380038

Title:
  SSL problems: doesn't check certificate chain and hostname when ssl
  connecting

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pacemaker/+bug/1380038/+subscriptions