Hi,
I remember looking at the 'how to validate certificates with tcl-tls' a
while ago, it's not really hard, but it will probably be annoying to do it..
especially considering the http stuff, and in cases of proxies (the code and
API used for proxies is different).. there are so many tls connections to so
many different servers, each might have their own certificate, and since for
http we can only set it up via 'http::register' for the port 443, if we do
two parallel connections, we might have easily a race condition where the
wrong certificate is being checked...
Also, if the M$ certificate expires and they change it, it will break all
version and will force us to release a new version (and you know it takes us
months to do one release, even in 'release ASAP' mode). And distributions
that don't update their repositories very often will suffer from it.. But
I'm not too sure of how this stuff works though.
Other solution might be to provide a directory with the CA certicates, and
let tcltls validate the CA from there.. I'm not sure, and I'm not very
security-savvy, so if someone else volunteers to do it... that would be
nice.
Best solution would be to say : Jan Lieskovsky, patches are welcome :)
KaKaRoTo
On Mon, Mar 8, 2010 at 12:42 PM, Álvaro J. Iradier <
airad...@users.sourceforge.net> wrote:
> I didn't know about this problem with the certificate.
>
> Sounds easy to fix, maybe just check certificate signature, and give a
> warning if mismatch? what do you think?
>
>
> ---------- Forwarded message ----------
> From: Jan Lieskovsky <jlies...@redhat.com>
> Date: Mon, Mar 8, 2010 at 6:31 PM
> Subject: Regarding aMSN SSL Certificate Validation Security Bypass issue
> To: "Alvaro J. Iradier Muro" <airad...@users.sourceforge.net>
>
>
> Hi Alvaro,
>
> this is due:
> [1] http://www.juniper.net/security/auto/vulnerabilities/vuln35507.html
> [2] http://seclists.org/bugtraq/2009/Jun/239
>
> Noticed aMSN 0.98.3 was released today:
> [3] http://www.amsn-project.net/blog/2010/03/amsn-0-98-3-released/
>
> but i can't see patch for [1] in it, so wanted to check the state of
> it with you --
> is the aMSN upstream planning to address this issue? (Or has it
> already been addressed
> and i just overlooked the change?)
>
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
>
>
> --
> (:=================================:)
> Alvaro J. Iradier Muro - airad...@gmail.com
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Amsn-devel mailing list
> Amsn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/amsn-devel
>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Amsn-devel mailing list
Amsn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amsn-devel
