View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005019||SOGo||SOPE||public||2020-05-11 09:04||2020-07-09 17:56|
|Fixed in Version||5.0.0|
|Summary||0005019: TLS implementation in NGActiveSSLSocket does not verify peer|
The TLS socket implementation in NGActiveSSLSocket currently does not verify the peer. Meaning, that any certificate is accepted, both for gnutls as with openssl.
This is quite bad, as it allows for MITM attacks, which TLS can easily prevent.
To fix this, NGActiveSSLSocket would need a host name passed (or extracted from the underlying socket) and then be verified:
Generally following https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/sect-Defensive_Coding-TLS-Client.html (OpenSSL) and https://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Defensive_Coding/sect-Defensive_Coding-TLS-Client-GNUTLS.html (GnuTLS) should be good practivce
|Tags||No tags attached.|
Implemented in https://github.com/inverse-inc/sope/pull/52
Someone should probably go and get a CVE issued for this so distros can backport it. Missing SSL Certificate Validation is literally one of the CVE categories.
I think this can be closed, as the change has been merged
|2020-05-11 09:04||the_nic||New Issue|
|2020-05-14 18:03||the_nic||Note Added: 0014339|
|2020-06-05 01:52||ajs124||Note Added: 0014394|
|2020-07-09 16:54||the_nic||Note Added: 0014488|
|2020-07-09 17:56||francis||Status||new => resolved|
|2020-07-09 17:56||francis||Resolution||open => fixed|
|2020-07-09 17:56||francis||Fixed in Version||=> 5.0.0|