Date: Thu, 12 Mar 2015 10:44:58 +1100 From: Michael Samuel <mik@...net.net> To: oss-security@...ts.openwall.com Subject: Re: Another Python app (rhn-setup: rhnreg_ks) not checking hostnames in certs properly CVE-2015-1777 On 12 March 2015 at 02:48, Kurt Seifried <kseifried@...hat.com> wrote: > Much like /tmp issues the solution that will save us is not to fix every > /tmp issue but rather do more intelligent things like poly instantiated > tmp or systemd per process tmp. Sadly I don't see such an easy > possibility with TLS/SSL, but if we have a decent test > framework/reproduction ability it will make finding, fixing and > verifying these things a whole lot easier long term. You can test for the common bugs extremely easily - you need two types of bogus certificate installed on the server: - A completely untrusted (eg. self-signed) certificate - A certificate signed by a trusted authority but for the wrong hostname It's not too hard to test SSH connections in a similar manner (just regen the ssh host keys after the first connection). Alternatively, you could make your OpenSSL modules for various languages return client ctxs that verify by default - the topic of this discussion :) Regards, Michael
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.