Duplicity does not verify SSL certificate prior to connecting
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Duplicity |
Fix Released
|
Undecided
|
Unassigned | ||
Debian |
Fix Released
|
Unknown
|
Bug Description
While doing some testing using deja-dup I noticed that the SSL certificate that Amazon S3 was providing wasn't correct.
$ openssl s_client -connect s3-1-w.
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https:/
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.s3.amazonaws.com
verify return:1
---
Certificate chain
0 s:/C=US/
i:/C=
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https:/
i:/C=
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=
The Amazon certificate is a wildcard cert for *.s3.amazonaws.com. Unfortunately the domain duplicity was connecting to was s3-1-w.
CVE References
information type: | Private Security → Public Security |
Changed in debian: | |
status: | Unknown → Confirmed |
Changed in debian: | |
status: | Confirmed → Fix Released |
Changed in duplicity: | |
status: | New → Fix Released |
Hi, it's been three weeks. Can anyone comment on this?