oss-sec mailing list archives
CVE Request: ruby openssl hostname verification issue
From: Marcus Meissner <meissner () suse de>
Date: Thu, 9 Jun 2016 10:06:13 +0200
Hi, This probably warrants a CVE: https://github.com/ruby/openssl/issues/8 quoting: Even if OpenSSL::SSL::VERIFY_PEER is configured, I/O is allowed with a remote server before the subject has been verified. VERIFY_PEER only checks the cert chain is rooted in the local truststore. It does not check if the subject is valid in and of itself. My understanding is the ssl_socket.post_connection_check(hostname) method must be called to ensure the subject is correctly verified. However, communication is allowed to remote services without verifying the subject. I would suggest throwing an exception if VERIFY_PEER is configured and I/O is attempted without first calling post_connection_check It would also be nice if this all happened automatically simply by passing hostname into OpenSSL::SSL::SSLSocket (which AFAICT only affects SNI presently, and not subject verification) ---- Ciao, Marcus -- Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner () suse de>
Current thread:
- CVE Request: ruby openssl hostname verification issue Marcus Meissner (Jun 09)
- Re: CVE Request: ruby openssl hostname verification issue cve-assign (Jun 09)
- Re: CVE Request: ruby openssl hostname verification issue Marcus Meissner (Jun 15)
- Re: CVE Request: ruby openssl hostname verification issue cve-assign (Jun 09)