Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Jun 2016 10:06:13 +0200
From: Marcus Meissner <>
To: OSS Security List <>,
Subject: CVE Request: ruby openssl hostname verification issue


This probably warrants a CVE:


Even if OpenSSL::SSL::VERIFY_PEER is configured, I/O is allowed with a
remote server before the subject has been verified. VERIFY_PEER only
checks the cert chain is rooted in the local truststore. It does not
check if the subject is valid in and of itself.

My understanding is the ssl_socket.post_connection_check(hostname) method
must be called to ensure the subject is correctly verified. However,
communication is allowed to remote services without verifying the subject.

I would suggest throwing an exception if VERIFY_PEER is configured and
I/O is attempted without first calling post_connection_check

It would also be nice if this all happened automatically simply by
passing hostname into OpenSSL::SSL::SSLSocket (which AFAICT only affects
SNI presently, and not subject verification)


Ciao, Marcus
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ