Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Mar 2015 10:44:58 +1100
From: Michael Samuel <>
Subject: Re: Another Python app (rhn-setup: rhnreg_ks) not
 checking hostnames in certs properly CVE-2015-1777

On 12 March 2015 at 02:48, Kurt Seifried <> wrote:

> Much like /tmp issues the solution that will save us is not to fix every
> /tmp issue but rather do more intelligent things like poly instantiated
> tmp or systemd per process tmp. Sadly I don't see such an easy
> possibility with TLS/SSL, but if we have a decent test
> framework/reproduction ability it will make finding, fixing and
> verifying these things a whole lot easier long term.

You can test for the common bugs extremely easily - you need two types of
bogus certificate installed on the server:
- A completely untrusted (eg. self-signed) certificate
- A certificate signed by a trusted authority but for the wrong hostname

It's not too hard to test SSH connections in a similar manner (just regen the
ssh host keys after the first connection).

Alternatively, you could make your OpenSSL modules for various languages
return client ctxs that verify by default - the topic of this discussion :)


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ