Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Jun 2016 10:06:13 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>,
	cve-assign@...re.org
Subject: CVE Request: ruby openssl hostname verification issue

Hi,

This probably warrants a CVE:

https://github.com/ruby/openssl/issues/8

quoting:

Even if OpenSSL::SSL::VERIFY_PEER is configured, I/O is allowed with a
remote server before the subject has been verified. VERIFY_PEER only
checks the cert chain is rooted in the local truststore. It does not
check if the subject is valid in and of itself.

My understanding is the ssl_socket.post_connection_check(hostname) method
must be called to ensure the subject is correctly verified. However,
communication is allowed to remote services without verifying the subject.

I would suggest throwing an exception if VERIFY_PEER is configured and
I/O is attempted without first calling post_connection_check

It would also be nice if this all happened automatically simply by
passing hostname into OpenSSL::SSL::SSLSocket (which AFAICT only affects
SNI presently, and not subject verification)

----

Ciao, Marcus
-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ