Regarding the patch I submitted yesterday, I apologize I was inadvertently on the wrong branch and I see now that this issue has already been addressed on master and in the 1.32 unstable release in commit 45fa3f1. I have been looking at the changes introduced in that commit, and I have a few concerns:
1. OpenSSL's s_client doesn't appear to exit with an error if just the `-verify_return_error` flag is used. I've tested this on BusyBox 1.32 with OpenSSL 1.0.2u and LibreSSL 3.1.3 and am still able to `wget https://expired.badssl.com` without getting an error. To cause s_client to abort with an error, it is necessary to also use the `-verify 100` flag. Further reading on this is available at https://www.vdoo.com/ja/blog/busybox-wget-case. 2. Even with the `-verify 100 -verify_return_error` flags, OpenSSL does not verify that the certificate is valid for the requested hostname. For hostname verification to work, it is necessary to use `-verify_hostname <hostname>` for hostname based requests or `-verify-ip` for IP address based requests. 3. The `-verify_return_error` flag gets added in argv[7]. If the end user uses wget on an IP address rather than a hostname, argv[5] and argv[6] will remain set to null, causing execvp not to pass any arguments after argv[4] to s_client and resulting in no check being performed.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox