[Bug 1677958] Re: no SSL certificate verify
This problem can be closed .Sorry for disturbing you.For some reasons ,we do analysis on Ubuntu 16.04.,where the nghttp2 version is 1.7.1, NO SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb) exists,so we can do MITM attack. We find in the lastest version 1.22.0,this bug has fixed.Thank for you timely reply and patience.Also apologize for my carelessness. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677958 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1677958] Re: no SSL certificate verify
Nowadays We find in nghttp2-client there exists other bug .
In @src/nghttp.cc:
int HttpClient::initiate_connection()
{
[...]
ssl = SSL_new(ssl_ctx);
[...]
SSL_set_fd(ssl.fd);
SSL_set_connect_state(ssl);
[...]
writefn = &HttpClient::connected;
}
The function initiate_connection achieve SSL connect. When finish
connection , you immedicately start to execute read/write operation without
verify certificate,which can lead to MITM attack and cause leakage of
sensitive data.We have built the test environment to prove such attack can
occur.We recommand you add verify operation such as SSL_CTX_set_verify or
SSL_get_peer_certificate to guarantee the security.
We have proved the MITM attack can occur.This bug report has sent to
upstream developer and we are waiting the report from them.
2017-05-17 1:48 GMT+08:00 Nish Aravamudan
:
> To be clear, this bug is in example code to demonstrate how one uses
> libnghttp2, not in any actual libnghttp2 code.
>
> The upstream developer Tatsuhiro Tsujikawa (offlist) said:
>
> > Thank you for the security analysis.
> > examples/client.c is an example program to show how to use libnghttp2,
> and we made it intentionally simple.
> > In addition, since developers often use self-signed certificates for
> developments, we omitted any verification after handshake. We never expect
> to see this as used in production scenario.
>
> Ruan, I believe the upstream developer is waiting on you to respond with
> how you would like them to proceed: either a block comment or removal of
> the example code.
>
> ** Changed in: nghttp2 (Ubuntu)
>Status: Confirmed => Invalid
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677958
>
> Title:
> no SSL certificate verify
>
> Status in nghttp2 package in Ubuntu:
> Invalid
>
> Bug description:
> Hi developers:
> We made a large scale security static analysis on several open
> source projects, and found some mistakes in nghttp2 1.7.1. In the
> @example/client.c:539:
> static void fetch_uri(const struct URI *uri) {
> {
> [...]
> ssl_ctx = SSL_CTX_new(SSLv23_client_method());
> if (ssl_ctx == NULL) {
>dief("SSL_CTX_new", ERR_error_string(ERR_get_error(), NULL));
> }
> init_ssl_ctx(ssl_ctx);
> ssl = SSL_new(ssl_ctx);
> if (ssl == NULL) {
>dief("SSL_new", ERR_error_string(ERR_get_error(), NULL));
> }
> /* To simplify the program, we perform SSL/TLS handshake in blocking
>I/O. */
> ssl_handshake(ssl, fd);
> [...]
> }
>
> The function ssl_handshake(ssl, fd) achieve SSL_connect(ssl). When
> finish the SSL connect, you immedicately start to execute read/write
> operation without verify certificate,which can lead to MITM attack and
> cause leakage of sensitive data.We recommand you add verify operation
> such as SSL_CTX_set_verify or SSL_get_peer_certificate to guarantee
> the security.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/
> 1677958/+subscriptions
>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958
Title:
no SSL certificate verify
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677958] Re: no SSL certificate verify
The code maintainer have confirm the bug and add a large text inside the source code to implement that is insecure for production use. ** Changed in: nghttp2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677958 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1677951] Re: incomplete SSL certificate verify
Hi Developers:
In @plugins/sslutils.c:164~248, I see you get the certificate and verify
some properties of it.So plugin is planning to do so? Why not use the
judgement :SSL_get_verify_result(ssl)==X509_V_OK to guarantee valid cert
verification?
2017-04-06 17:16 GMT+08:00 Jan Wagner <1677...@bugs.launchpad.net>:
> check_http (and every other plugin) does NOT verify certificates and was
> never planed to do so.
>
> ** Changed in: monitoring-plugins (Ubuntu)
>Status: Confirmed => Invalid
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677951
>
> Title:
> incomplete SSL certificate verify
>
> Status in monitoring-plugins package in Ubuntu:
> Invalid
>
> Bug description:
> Hi developers:
> We made a large scale security static analysis on several open
> source projects, and found some mistakes in monitoring-plugins-2.1.2. In
> the @plugins/sslutils.c:164:
> int np_net_ssl_check_cert(int days_till_exp_warn, int
> days_till_exp_crit){
> # ifdef USE_OPENSSL
> [...]
> certificate=SSL_get_peer_certificate(s);
>
> if (!certificate) {
> printf("%s\n",_("CRITICAL - Cannot retrieve server
> certificate."));
> return STATE_CRITICAL;
> }
>
> /* Extract CN from certificate subject */
> subj=X509_get_subject_name(certificate);
> [...]
> }
>
> We find that you use SSL_get_peer_certificate() to get the cert
> and verify some properties of it.But it still not secure enough and
> can lead to MITM attack. To guarantee the security,we recommand you
> add the judgement if(SSL_get_verify_result(ssl)==X509_V_OK) to make
> sure validation succeeds.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/monitoring-
> plugins/+bug/1677951/+subscriptions
>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677951
Title:
incomplete SSL certificate verify
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1681177] [NEW] Disabled SSL certificate verify
Public bug reported:
Hi developers:
We made a large scale security static analysis on several open source
projects, and found some mistakes in dnsval-2.0. In the @libval/valdane.c:743:
int val_dane_check(val_context_t *ctx,SSL *con,struct val_danestatus
*danestatus,int *do_pathval)
{
[...]
switch (dane_cur->usage) {
[...]
case DANE_USE_SVC_CONSTRAINT: /*1*/
cert = SSL_get_peer_certificate(con);
cert_datalen = i2d_X509(cert, NULL);
[...]
}
In this function,you do cert verify . But the API
SSL_get_peer_certificate and SSL_get_verify_result do not in the same
case.There may exist some problem?
** Affects: dnsval (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1681177
Title:
Disabled SSL certificate verify
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsval/+bug/1681177/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1677947] Re: no SSL certificate verify
According to OpenSSL document, a correct certificate chain validation
pattern is like this:
const SSL_METHOD *method;
SSL_CTX *ctx;
SSL *ssl;
[...]
method = TLSv1_client_method(); //select protocol
[...]
ctx = SSL_CTX_new(method); //Create CTX
[...]
ssl = SSL_new(ctx); //Create SSL
[...]
//set SSL_VERIFY_PEER flag for certificate chain validation during handshake
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,...);
[...]
SSL_connect(ssl); //Start handshake
SSL_CTX_set_verify sets the verification flags for CTX but
SSL_set_verify sets the verification flags for SSL. libeap's internal
method tls_connection_set_verify() contains the method SSL_set_verify(). I
think use method SSL_CTX_set_verify() is a correct way?
2017-04-01 2:33 GMT+08:00 Adam Bishop <1677...@bugs.launchpad.net>:
> Can you share more information on this, such as the tool you used for
> static analysis or more detailed output? Ideal would be the code path
> that your tool believes exhibits the behaviour.
>
> libeap's internal method tls_connection_set_verify() should be called to
> set the verification callback for the context before SSL_connect() or
> SSL_accept() is reached - if there is a code path that makes this not be
> the case, it's not immediately obvious.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677947
>
> Title:
> no SSL certificate verify
>
> Status in moonshot-gss-eap package in Ubuntu:
> New
>
> Bug description:
> Hi developers:
> We made a large scale security static analysis on several open
> source projects, and found some mistakes in moonshot-gss-eap_0.9.5,In the
> @libeap/src/crypto/Tls_openssl.c:2255:
> static struct wpabuf * openssl_handshake(struct tls_connection
> *conn, const struct wpabuf *in_data,int server)
> {
> [...]
> if (server)
> res = SSL_accept(conn->ssl);
> else
> res = SSL_connect(conn->ssl);
> [...]
> }
>
> You create SSL connect and then start to execute read/write
> operation without verify certificate,which can lead to MITM attack and
> cause leakage of sensitive data.We recommand you add cert verify
> operation such as SSL_CTX_set_verify or SSL_get_peer_certificate to
> guarantee the security.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/moonshot-gss-eap/+bug/1677947/+
> subscriptions
>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677947
Title:
no SSL certificate verify
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/moonshot-gss-eap/+bug/1677947/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677951] Re: incomplete SSL certificate verify
OK.Here are the link:
https://github.com/monitoring-plugins/monitoring-plugins/issues/1479
Thanks.
2017-03-31 22:01 GMT+08:00 Daniel Llewellyn :
> Thank you for taking the time to report this bug and helping to make
> Ubuntu better. The issue you are reporting is an upstream one and it
> would be nice if somebody having it could send the bug to the developers
> of the software by following the instructions at https://github.com
> /monitoring-plugins/monitoring-plugins/issues. If you have done so,
> please tell us the number of the upstream bug (or the link), so we can
> add a bugwatch that will inform us about its status. Thanks in advance.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677951
>
> Title:
> incomplete SSL certificate verify
>
> Status in monitoring-plugins package in Ubuntu:
> New
>
> Bug description:
> Hi developers:
> We made a large scale security static analysis on several open
> source projects, and found some mistakes in monitoring-plugins-2.1.2. In
> the @plugins/sslutils.c:164:
> int np_net_ssl_check_cert(int days_till_exp_warn, int
> days_till_exp_crit){
> # ifdef USE_OPENSSL
> [...]
> certificate=SSL_get_peer_certificate(s);
>
> if (!certificate) {
> printf("%s\n",_("CRITICAL - Cannot retrieve server
> certificate."));
> return STATE_CRITICAL;
> }
>
> /* Extract CN from certificate subject */
> subj=X509_get_subject_name(certificate);
> [...]
> }
>
> We find that you use SSL_get_peer_certificate() to get the cert
> and verify some properties of it.But it still not secure enough and
> can lead to MITM attack. To guarantee the security,we recommand you
> add the judgement if(SSL_get_verify_result(ssl)==X509_V_OK) to make
> sure validation succeeds.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/monitoring-
> plugins/+bug/1677951/+subscriptions
>
** Bug watch added: github.com/monitoring-plugins/monitoring-plugins/issues
#1479
https://github.com/monitoring-plugins/monitoring-plugins/issues/1479
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677951
Title:
incomplete SSL certificate verify
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677958] Re: no SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677958 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677951] Re: incomplete SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677558] Re: no SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677558 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/elog/+bug/1677558/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677518] Re: Disabled SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677518 Title: Disabled SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wrk/+bug/1677518/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677947] Re: no SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677947 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/moonshot-gss-eap/+bug/1677947/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677511] Re: Disabled SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677511 Title: Disabled SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libstrophe/+bug/1677511/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677506] Re: incomplete SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677506 Title: incomplete SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/tnftp/+bug/1677506/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677501] Re: no SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677501 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nsca-ng/+bug/1677501/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677493] Re: no SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677493 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/r-cran-rsclient/+bug/1677493/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1677495] Re: no SSL certificate verify
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677495 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/uhub/+bug/1677495/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
