View Issue Details

IDProjectCategoryView StatusLast Update
0005019SOGoSOPEpublic2020-07-09 17:56
Reporterthe_nic Assigned To 
Status resolvedResolutionfixed 
Fixed in Version5.0.0 
Summary0005019: TLS implementation in NGActiveSSLSocket does not verify peer

The TLS socket implementation in NGActiveSSLSocket currently does not verify the peer. Meaning, that any certificate is accepted, both for gnutls as with openssl.

This is quite bad, as it allows for MITM attacks, which TLS can easily prevent.

To fix this, NGActiveSSLSocket would need a host name passed (or extracted from the underlying socket) and then be verified:


  • Load the root CA store: gnutls_certificate_set_x509_trust_file() or gnutls_certificate_set_x509_system_trust()
  • gnutls_server_name_set()with the host name


  • adjust the line SSL_CTX_set_verify(self->ctx, SSL_VERIFY_NONE, NULL); to verify the peer (removing should be sufficient)
  • set host name with SSL_set_tlsext_host_name()

Generally following (OpenSSL) and (GnuTLS) should be good practivce

  • SSL_set_tlsext_host_name(ssl, host)
TagsNo tags attached.




2020-05-14 18:03

reporter   ~0014339

Implemented in



2020-06-05 01:52

reporter   ~0014394

Someone should probably go and get a CVE issued for this so distros can backport it. Missing SSL Certificate Validation is literally one of the CVE categories.



2020-07-09 16:54

reporter   ~0014488

I think this can be closed, as the change has been merged

Issue History

Date Modified Username Field Change
2020-05-11 09:04 the_nic New Issue
2020-05-14 18:03 the_nic Note Added: 0014339
2020-06-05 01:52 ajs124 Note Added: 0014394
2020-07-09 16:54 the_nic Note Added: 0014488
2020-07-09 17:56 francis Status new => resolved
2020-07-09 17:56 francis Resolution open => fixed
2020-07-09 17:56 francis Fixed in Version => 5.0.0