[Bug 1677506] Re: incomplete SSL certificate verify
Bastian Germann
1677506 at bugs.launchpad.net
Sun Apr 9 09:58:08 UTC 2023
tnftp 20230409's ChangeLog has "Support SSL certificate validation by
default."
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to tnftp in Ubuntu.
https://bugs.launchpad.net/bugs/1677506
Title:
incomplete SSL certificate verify
Status in tnftp package in Ubuntu:
New
Bug description:
Hi developers:
We made a large scale security static analysis on several open source projects, and found some mistakes in tnftp-20130505. In the @src/ssl.c:555:
void * fetch_start_ssl(int sock)
{
[...]
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
ssl = SSL_new(ctx);
if (ssl == NULL){
fprintf(ttyout, "SSL context creation failed\n");
SSL_CTX_free(ctx);
return NULL;
}
SSL_set_fd(ssl, sock);
while ((ret = SSL_connect(ssl)) == -1)
[...]
cert = SSL_get_peer_certificate(ssl);
[...]
}
We find that you use SSL_get_peer_certificate() to get the cert and
verify some properties of it.But it still can lead to MITM attack. To
guarantee the security,we recommand you add the judgement
if(SSL_get_verify_result(ssl)==X509_V_OK) to make sure validation
succeeds.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tnftp/+bug/1677506/+subscriptions
More information about the foundations-bugs
mailing list