Date: Thu, 12 Mar 2015 10:44:58 +1100 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Subject: Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 On 12 March 2015 at 02:48, Kurt Seifried <kseifried@...hat.com> wrote: > Much like /tmp issues the solution that will save us is not to fix every > /tmp issue but rather do more intelligent things like poly instantiated > tmp or systemd per process tmp. Sadly I don't see such an easy > possibility with TLS/SSL, but if we have a decent test > framework/reproduction ability it will make finding, fixing and > verifying these things a whole lot easier long term. You can test for the common bugs extremely easily - you need two types of bogus certificate installed on the server: - A completely untrusted (eg. self-signed) certificate - A certificate signed by a trusted authority but for the wrong hostname It's not too hard to test SSH connections in a similar manner (just regen the ssh host keys after the first connection). Alternatively, you could make your OpenSSL modules for various languages return client ctxs that verify by default - the topic of this discussion :) Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ