Date: Thu, 9 Jun 2016 10:06:13 +0200 From: Marcus Meissner <meissner@...e.de> To: OSS Security List <oss-security@...ts.openwall.com>, cve-assign@...re.org Subject: CVE Request: ruby openssl hostname verification issue Hi, This probably warrants a CVE: https://github.com/ruby/openssl/issues/8 quoting: Even if OpenSSL::SSL::VERIFY_PEER is configured, I/O is allowed with a remote server before the subject has been verified. VERIFY_PEER only checks the cert chain is rooted in the local truststore. It does not check if the subject is valid in and of itself. My understanding is the ssl_socket.post_connection_check(hostname) method must be called to ensure the subject is correctly verified. However, communication is allowed to remote services without verifying the subject. I would suggest throwing an exception if VERIFY_PEER is configured and I/O is attempted without first calling post_connection_check It would also be nice if this all happened automatically simply by passing hostname into OpenSSL::SSL::SSLSocket (which AFAICT only affects SNI presently, and not subject verification) ---- Ciao, Marcus -- Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ