[Bug 1677958] Re: no SSL certificate verify
** Also affects: nghttp2 (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: nghttp2 (Ubuntu) Status: New => Fix Released ** Changed in: nghttp2 (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nghttp2 in Ubuntu. https://bugs.launchpad.net/bugs/1677958 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677958] Re: no SSL certificate verify
Hello Ruan, Thank you for keeping us apprised of the situation. I see in that function, that they do call SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb); [elided from your excerpt] but you are saying the MITM attack exists because they are not verifying the global context? ** Changed in: nghttp2 (Ubuntu) Status: Invalid => New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nghttp2 in Ubuntu. https://bugs.launchpad.net/bugs/1677958 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1677958] Re: no SSL certificate verify
To be clear, this bug is in example code to demonstrate how one uses libnghttp2, not in any actual libnghttp2 code. The upstream developer Tatsuhiro Tsujikawa (offlist) said: > Thank you for the security analysis. > examples/client.c is an example program to show how to use libnghttp2, and we > made it intentionally simple. > In addition, since developers often use self-signed certificates for > developments, we omitted any verification after handshake. We never expect > to see this as used in production scenario. Ruan, I believe the upstream developer is waiting on you to respond with how you would like them to proceed: either a block comment or removal of the example code. ** Changed in: nghttp2 (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to nghttp2 in Ubuntu. https://bugs.launchpad.net/bugs/1677958 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/1677958/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs