Duplicity

Bug #1314234
Comment #2

Comment 2 for bug 1314234

Revision history for this message

Kenneth Loafman (kenneth-loafman) wrote on 2014-05-20: Re: [Bug 1314234] Re: Duplicity does not verify SSL certificate prior to connecting

I am not entirely sure what the answer should be. If we 'fail' the
connection and refuse to accept a mis-applied wildcard, we'll probably fail
most connections (there are a bunch of systems in a bunch of companies set
up like this). We could 'warn' in this case, but that just creates more
noise.

My best guess would be to accept if the domain matches, 'amazonaws.com',
and fail if it does not. Tricky.

On Tue, May 20, 2014 at 8:11 AM, Eric Christensen <
<email address hidden>> wrote:

> Hi, it's been three weeks. Can anyone comment on this?
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1314234
>
> Title:
> Duplicity does not verify SSL certificate prior to connecting
>
> Status in Duplicity - Bandwidth Efficient Encrypted Backup:
> New
>
> Bug description:
> While doing some testing using deja-dup I noticed that the SSL
> certificate that Amazon S3 was providing wasn't correct.
>
> $ openssl s_client -connect s3-1-w.amazonaws.com:443 -crlf
> CONNECTED(00000003)
> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
> Certification Authority
> verify return:1
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
> Public Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3
> Secure Server CA - G3
> verify return:1
> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN =
> *.s3.amazonaws.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.
> s3.amazonaws.com
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
> G3
> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
> G3
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
> The Amazon certificate is a wildcard cert for *.s3.amazonaws.com.
> Unfortunately the domain duplicity was connecting to was
> s3-1-w.amazonaws.com. Duplicity should have verified that the
> certificate was valid for the domain it was connected to.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1314234/+subscriptions
>

I am not entirely sure what the answer should be.  If we 'fail' the
connection and refuse to accept a mis-applied wildcard, we'll probably fail
most connections (there are a bunch of systems in a bunch of companies set
up like this).  We could 'warn' in this case, but that just creates more
noise.

My best guess would be to accept if the domain matches, 'amazonaws.com',
and fail if it does not.  Tricky.

On Tue, May 20, 2014 at 8:11 AM, Eric Christensen <
1314234@bugs.launchpad.net> wrote:

> Hi, it's been three weeks.  Can anyone comment on this?
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1314234
>
> Title:
>   Duplicity does not verify SSL certificate prior to connecting
>
> Status in Duplicity - Bandwidth Efficient Encrypted Backup:
>   New
>
> Bug description:
>   While doing some testing using deja-dup I noticed that the SSL
>   certificate that Amazon S3 was providing wasn't correct.
>
>   $ openssl s_client -connect s3-1-w.amazonaws.com:443 -crlf
>   CONNECTED(00000003)
>   depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
> Certification Authority
>   verify return:1
>   depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
> Public Primary Certification Authority - G5
>   verify return:1
>   depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
> Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3
> Secure Server CA - G3
>   verify return:1
>   depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN =
> *.s3.amazonaws.com
>   verify return:1
>   ---
>   Certificate chain
>    0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.
> s3.amazonaws.com
>      i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
> G3
>    1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
> G3
>      i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
>    2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
>      i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
> Authority
>
>   The Amazon certificate is a wildcard cert for *.s3.amazonaws.com.
>   Unfortunately the domain duplicity was connecting to was
>   s3-1-w.amazonaws.com.  Duplicity should have verified that the
>   certificate was valid for the domain it was connected to.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1314234/+subscriptions
>