no SSL certificate verify
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nghttp2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hi developers:
We made a large scale security static analysis on several open source projects, and found some mistakes in nghttp2 1.7.1. In the @example/
static void fetch_uri(const struct URI *uri) {
{
[...]
ssl_ctx = SSL_CTX_
if (ssl_ctx == NULL) {
dief(
}
init_
ssl = SSL_new(ssl_ctx);
if (ssl == NULL) {
dief(
}
/* To simplify the program, we perform SSL/TLS handshake in blocking
I/O. */
ssl_
[...]
}
The function ssl_handshake(ssl, fd) achieve SSL_connect(ssl). When finish the SSL connect, you immedicately start to execute read/write operation without verify certificate,which can lead to MITM attack and cause leakage of sensitive data.We recommand you add verify operation such as SSL_CTX_set_verify or SSL_get_
information type: | Private Security → Public |
Changed in nghttp2 (Ubuntu): | |
status: | New → Fix Released |
Changed in nghttp2 (Ubuntu Xenial): | |
status: | New → Confirmed |
Has this been reported upstream to nghttp2?