Duplicity

  1. Bug #1314234
  2. Comment #5

Comment 5 for bug 1314234

Revision history for this message
Vincent Danen (vdanen) wrote : Re: [Bug 1314234] Re: Duplicity does not verify SSL certificate prior to connecting

Is it not possible to have a configurable option? Sounds like the best compromise. Do the right thing by default, and allow people who are in certain situations to configure it to allow for the wrong behavior. That way if there is ever a problem, it was because they chose the more insecure default.

Otherwise you're stuck building white- and black-lists which is just annoying for everyone.

--
Vincent Danen / Red Hat Security Response Team

> On May 20, 2014, at 3:35 PM, Kenneth Loafman <email address hidden> wrote:
>
> I am not entirely sure what the answer should be. If we 'fail' the
> connection and refuse to accept a mis-applied wildcard, we'll probably fail
> most connections (there are a bunch of systems in a bunch of companies set
> up like this). We could 'warn' in this case, but that just creates more
> noise.
>
> My best guess would be to accept if the domain matches, 'amazonaws.com',
> and fail if it does not. Tricky.
>
>
> On Tue, May 20, 2014 at 8:11 AM, Eric Christensen <
> <email address hidden>> wrote:
>
>> Hi, it's been three weeks. Can anyone comment on this?
>>
>> --
>> You received this bug notification because you are subscribed to
>> Duplicity.
>> https://bugs.launchpad.net/bugs/1314234
>>
>> Title:
>> Duplicity does not verify SSL certificate prior to connecting
>>
>> Status in Duplicity - Bandwidth Efficient Encrypted Backup:
>> New
>>
>> Bug description:
>> While doing some testing using deja-dup I noticed that the SSL
>> certificate that Amazon S3 was providing wasn't correct.
>>
>> $ openssl s_client -connect s3-1-w.amazonaws.com:443 -crlf
>> CONNECTED(00000003)
>> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
>> Certification Authority
>> verify return:1
>> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
>> "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3
>> Public Primary Certification Authority - G5
>> verify return:1
>> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
>> Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3
>> Secure Server CA - G3
>> verify return:1
>> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN =
>> *.s3.amazonaws.com
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.
>> s3.amazonaws.com
>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
>> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
>> G3
>> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
>> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA -
>> G3
>> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
>> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
>> Authority
>>
>> The Amazon certificate is a wildcard cert for *.s3.amazonaws.com.
>> Unfortunately the domain duplicity was connecting to was
>> s3-1-w.amazonaws.com. Duplicity should have verified that the
>> certificate was valid for the domain it was connected to.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/duplicity/+bug/1314234/+subscriptions
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1314234
>
> Title:
> Duplicity does not verify SSL certificate prior to connecting
>
> Status in Duplicity - Bandwidth Efficient Encrypted Backup:
> New
>
> Bug description:
> While doing some testing using deja-dup I noticed that the SSL
> certificate that Amazon S3 was providing wasn't correct.
>
> $ openssl s_client -connect s3-1-w.amazonaws.com:443 -crlf
> CONNECTED(00000003)
> depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
> verify return:1
> depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
> verify return:1
> depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
> verify return:1
> depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.s3.amazonaws.com
> verify return:1
> ---
> Certificate chain
> 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3.amazonaws.com
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
> 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
> i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
> 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
> i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
>
> The Amazon certificate is a wildcard cert for *.s3.amazonaws.com.
> Unfortunately the domain duplicity was connecting to was
> s3-1-w.amazonaws.com. Duplicity should have verified that the
> certificate was valid for the domain it was connected to.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1314234/+subscriptions