On Sun, Jan 20, 2013 at 6:50 AM, Vincent Hanquez <t...@snarc.org> wrote:
> Hi cafe, > > this is a security advisory for tls-extra < 0.6.1 which are all vulnerable > to bad > certificate validation. > > Some part of the certificate validation procedure were missing (relying on > the > work-in-progress x509 v3 extensions), and because of this anyone with a > correct > end-entity certificate can issue certificate for any arbitrary domain, i.e. > acting as a CA. > > This problem has been fixed in tls-extra 0.6.1, and I advise everyone to > upgrade as > soon as possible. > > Despite a very serious flaw in the certificate validation, I'm happy that > the > code is seeing some audits, and would want to thanks Ertugrul Söylemez for > the > findings [1]. > > [1] https://github.com/vincenthz/hs-tls/issues/29 > > Regarding testing, it looks like the Tests directory hasn't been updated to cover this bug. What would really give confidence is a set of tests encoding fixed security vulnerabilities in OpenSSL (and similar libraries). That should also give you a lot of confidence in your library. But anyways, this is fantastic work you're doing. Keep it up! Alexander > -- > Vincent > > _______________________________________________ > Haskell-Cafe mailing list > Haskell-Cafe@haskell.org > http://www.haskell.org/mailman/listinfo/haskell-cafe >
_______________________________________________ Haskell-Cafe mailing list Haskell-Cafe@haskell.org http://www.haskell.org/mailman/listinfo/haskell-cafe