[Bug 1677958] Re: no SSL certificate verify

2017-05-18 Thread Nish Aravamudan
** Also affects: nghttp2 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: nghttp2 (Ubuntu)
   Status: New => Fix Released

** Changed in: nghttp2 (Ubuntu Xenial)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1677958] Re: no SSL certificate verify

2017-05-18 Thread Nish Aravamudan
Ruan, it's ok! Thank you for your detailed analyses. It sounds like this
is still a potential security issue in 16.04, at least.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1677958] Re: no SSL certificate verify

2017-05-17 Thread Ruan Linqi
This problem can be closed .Sorry for disturbing you.For some reasons ,we do 
analysis on Ubuntu 16.04.,where the nghttp2 version is 1.7.1, NO 
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb) exists,so we can do MITM 
attack. 
 We find in the lastest version 1.22.0,this bug has fixed.Thank for you timely 
reply and patience.Also apologize for my carelessness.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1677958] Re: no SSL certificate verify

2017-05-17 Thread Nish Aravamudan
Hello Ruan,

Thank you for keeping us apprised of the situation.

I see in that function, that they do call

SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);

[elided from your excerpt]

but you are saying the MITM attack exists because they are not verifying
the global context?

** Changed in: nghttp2 (Ubuntu)
   Status: Invalid => New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


Re: [Bug 1677958] Re: no SSL certificate verify

2017-05-16 Thread Ruan Linqi
Nowadays We find in nghttp2-client  there exists other  bug .
In @src/nghttp.cc:
int HttpClient::initiate_connection()

{
   [...]
   ssl = SSL_new(ssl_ctx);
[...]
SSL_set_fd(ssl.fd);
SSL_set_connect_state(ssl);
   [...]

writefn = &HttpClient::connected;

}

  The function initiate_connection achieve SSL connect. When finish
connection , you immedicately start to execute read/write operation without
verify certificate,which can lead to MITM attack and cause leakage of
sensitive data.We have built the test environment to prove such attack can
occur.We recommand you add verify operation such as SSL_CTX_set_verify or
SSL_get_peer_certificate to guarantee the security.

We have proved the MITM attack can occur.This bug report has sent to
upstream developer and we are waiting the report from them.

2017-05-17 1:48 GMT+08:00 Nish Aravamudan
:

> To be clear, this bug is in example code to demonstrate how one uses
> libnghttp2, not in any actual libnghttp2 code.
>
> The upstream developer Tatsuhiro Tsujikawa (offlist) said:
>
> > ​Thank you for the security analysis.
> > examples/client.c is an example program to show how to use libnghttp2,
> and we made it intentionally simple.
> > In addition, since developers often use ​self-signed certificates for
> developments, we omitted any verification after handshake.  We never expect
> to see this as used in production scenario.
>
> Ruan, I believe the upstream developer is waiting on you to respond with
> how you would like them to proceed: either a block comment or removal of
> the example code.
>
> ** Changed in: nghttp2 (Ubuntu)
>Status: Confirmed => Invalid
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677958
>
> Title:
>   no SSL certificate verify
>
> Status in nghttp2 package in Ubuntu:
>   Invalid
>
> Bug description:
>   Hi developers:
>   We made a large scale security static analysis on several open
> source projects, and found some mistakes in nghttp2 1.7.1. In the
> @example/client.c:539:
>   static void fetch_uri(const struct URI *uri) {
>   {
>  [...]
>  ssl_ctx = SSL_CTX_new(SSLv23_client_method());
>  if (ssl_ctx == NULL) {
>dief("SSL_CTX_new", ERR_error_string(ERR_get_error(), NULL));
>  }
>  init_ssl_ctx(ssl_ctx);
>  ssl = SSL_new(ssl_ctx);
>  if (ssl == NULL) {
>dief("SSL_new", ERR_error_string(ERR_get_error(), NULL));
>  }
>  /* To simplify the program, we perform SSL/TLS handshake in blocking
>I/O. */
>  ssl_handshake(ssl, fd);
>  [...]
>   }
>
>   The function ssl_handshake(ssl, fd) achieve SSL_connect(ssl). When
>   finish the SSL connect, you immedicately start to execute read/write
>   operation without verify certificate,which can lead to MITM attack and
>   cause leakage of sensitive data.We recommand you add verify operation
>   such as SSL_CTX_set_verify or SSL_get_peer_certificate to guarantee
>   the security.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/
> 1677958/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1677958] Re: no SSL certificate verify

2017-05-16 Thread Nish Aravamudan
To be clear, this bug is in example code to demonstrate how one uses
libnghttp2, not in any actual libnghttp2 code.

The upstream developer Tatsuhiro Tsujikawa (offlist) said:

> ​Thank you for the security analysis.
> examples/client.c is an example program to show how to use libnghttp2, and we 
> made it intentionally simple.
> In addition, since developers often use ​self-signed certificates for 
> developments, we omitted any verification after handshake.  We never expect 
> to see this as used in production scenario.

Ruan, I believe the upstream developer is waiting on you to respond with
how you would like them to proceed: either a block comment or removal of
the example code.

** Changed in: nghttp2 (Ubuntu)
   Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1677958] Re: no SSL certificate verify

2017-05-03 Thread Ruan Linqi
The code maintainer have confirm the bug and  add a large text inside
the source code to implement that is insecure for production use.

** Changed in: nghttp2 (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1677958] Re: no SSL certificate verify

2017-05-01 Thread Nish Aravamudan
Also, 1.7.1 is only present in 16.04, there have been many updates to
the package since then -- can you verify if it was fixed upstream
already and at what version?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1677958] Re: no SSL certificate verify

2017-05-01 Thread Nish Aravamudan
Has this been reported upstream to nghttp2?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs


[Bug 1677958] Re: no SSL certificate verify

2017-03-31 Thread Ruan Linqi
** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958

Title:
  no SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs