View Issue Details

IDProjectCategoryView StatusLast Update
0005019SOGoSOPEpublic2020-07-09 13:56
Reporterthe_nic Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Fixed in Version5.0.0 
Summary0005019: TLS implementation in NGActiveSSLSocket does not verify peer
Description

The TLS socket implementation in NGActiveSSLSocket currently does not verify the peer. Meaning, that any certificate is accepted, both for gnutls as with openssl.

This is quite bad, as it allows for MITM attacks, which TLS can easily prevent.

To fix this, NGActiveSSLSocket would need a host name passed (or extracted from the underlying socket) and then be verified:

GnuTLS

  • Load the root CA store: gnutls_certificate_set_x509_trust_file() or gnutls_certificate_set_x509_system_trust()
  • gnutls_server_name_set()with the host name

OpenSSL

  • adjust the line SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); to verify the peer (removing should be sufficient)
  • set host name with SSL_set_tlsext_host_name()

Generally following https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/sect-Defensive_Coding-TLS-Client.html (OpenSSL) and https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/sect-Defensive_Coding-TLS-Client-GNUTLS.html (GnuTLS) should be good practivce

  • SSL_set_tlsext_host_name(ssl, host)
TagsNo tags attached.

Activities

the_nic

the_nic

2020-05-14 14:03

reporter   ~0014339

Implemented in https://github.com/inverse-inc/sope/pull/52

ajs124

ajs124

2020-06-04 21:52

reporter   ~0014394

Someone should probably go and get a CVE issued for this so distros can backport it. Missing SSL Certificate Validation is literally one of the CVE categories.

the_nic

the_nic

2020-07-09 12:54

reporter   ~0014488

I think this can be closed, as the change has been merged

Issue History

Date Modified Username Field Change
2020-05-11 05:04 the_nic New Issue
2020-05-14 14:03 the_nic Note Added: 0014339
2020-06-04 21:52 ajs124 Note Added: 0014394
2020-07-09 12:54 the_nic Note Added: 0014488
2020-07-09 13:56 francis Status new => resolved
2020-07-09 13:56 francis Resolution open => fixed
2020-07-09 13:56 francis Fixed in Version => 5.0.0