Re: IE SSL Vulnerability

[Balazs Scheidler <bazsi () balabit hu>]

On Mon, Aug 05, 2002 at 04:03:29PM -0700, Mike Benham wrote:

> However, there is a slightly more complicated scenario.  Sometimes it is
> convenient to delegate signing authority to more localized authorities.
> In this case, the administrator of www.thoughtcrime.org would get a chain
> of certificates from the localized authority:
>
> [Issuer: VeriSign / Subject: VeriSign]
> -> [Issuer: VeriSign / Subject: Intermediate CA]
>    -> [Issuer: Intermediate CA / Subject: www.thoughtcrime.org]
>
> When a web browser receives this, it should verify that the CN field of
> the leaf certificate matches the domain it just connected to, that it's
> signed by the intermediate CA, and that the intermediate CA is signed by a
> known CA certificate.  Finally, the web browser should also check that all
> intermediate certificates have valid CA Basic Constraints.
>
> You guessed it, Internet Explorer does not check the Basic Constraints.

As OpenSSL's default verify callback does not check basic constraints,
clients that utilize openssl as backend, and verify server certificates can
be affected too.

w3m for example does no basic constraints checking on its own, and neither
does lynx.

As I see the curl library does no basic constraints checking, so anything
that uses curl to fetch https urls are affected too.

As a final example, stunnel does not check basic constraints either. The
latter is usually using self generated certificates, so the impact is not
that severe.

An untested (but compiling) code fragment which checks basicConstraints.ca
field is below (it is to be insterted into the SSL verify_callback):

- ctx is the X509_STORE_CTX as passed to the verify callback
- xs is the X509 certificate to be verified (the callback is called for
  every certificate in chain)

  if (ok)
    {
      X509_OBJECT obj;
      int bconstraints;
      BASIC_CONSTRAINTS *bc;
      int rc;
      
      /* check whether issuer is a CA */
      rc = X509_STORE_get_by_subject(ctx, X509_LU_X509, X509_get_issuer_name(xs), &obj);
      if (rc > 0 && obj.data.x509)
        {
          bconstraints = X509_get_ext_by_NID(obj.data.x509, NID_basic_constraints, -1);
          if (bconstraints >= 0)
            {
              /* basic constraints found */
              bc = X509V3_EXT_d2i(X509_get_ext(xs, bconstraints));
            }
          else
            {
              bc = NULL;
            }
          if (!bc)
            {
              printf("X509 extension basicConstraints missing from issuer; subject='%s', issuer='%s'", subject_name, 
issuer_name);
              ok = FALSE;
              errnum = X509_V_ERR_INVALID_CA;
            }
          else if (!bc->ca)
            {
              printf("CA certificate with basicConstraints.ca == FALSE; subject='%s', issuer='%s'", subject_name, 
issuer_name);
              ok = FALSE;
              errnum = X509_V_ERR_INVALID_CA;
            }
        }
    }

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1