Disabled SSL certificate verify
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
wrk (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi developers:
We made a large scale security static analysis on several open source projects, and found some mistakes in wrk-4.0.1. In the @src/ssl.c:42:
SSL_CTX *ssl_init() {
[...]
if ((ctx = SSL_CTX_
}
}
return ctx;
}
The parameter SSL_VERIFY_NONE here can not configure this built-in certificate validation,so the handshake can continue even the cert is invalid.We recommand you use SSL_VERIFY_PEER to guarantee the security.
information type: | Private Security → Public |