Ubuntu
wrk package

Disabled SSL certificate verify

Bug #1677518 reported by Ruan Linqi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
wrk (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hi developers:
    We made a large scale security static analysis on several open source projects, and found some mistakes in wrk-4.0.1. In the @src/ssl.c:42:
    SSL_CTX *ssl_init() {
        [...]
        if ((ctx = SSL_CTX_new(SSLv23_client_method()))) {
            SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
            SSL_CTX_set_verify_depth(ctx, 0);
            SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
            SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
        }
    }
    return ctx;
}

  The parameter SSL_VERIFY_NONE here can not configure this built-in certificate validation,so the handshake can continue even the cert is invalid.We recommand you use SSL_VERIFY_PEER to guarantee the security.

Ruan Linqi (shoppingruan)
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.