Check cert

Bug #1297969 reported by John Lenton
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Push Notifications
Fix Released
High
John Lenton
ubuntu-push (Ubuntu)
Fix Released
High
John Lenton
Trusty
Fix Released
High
John Lenton

Bug Description

[Impact]

 * the client isn't checking the ssl certificate

[Test Case]

You need:

* a computer capable of running the ubuntu push server.
* at device using the stable image and that can talk to the computer over the network

on the computer, do:

mkdir -p test-case-1309231/src/launchpad.net
cd !$
bzr branch lp:ubuntu-push
cd ubuntu-push
make bootstrap
sed -i~ -e 's/127.0.0.1//g' sampleconfigs/dev.json
make run-server-dev

on the device, edit /etc/xdg/ubuntu-push-client/config.json (or copy it to ~phablet/.config/ubuntu-push-client/config.json and edit it there) so that "addr" points to the IP address of the computer, and port 9090; something like

"addr": "192.168.1.1:9090"

(note there is no https:// as the hosts discovery step is being skipped).

Restart ubuntu-push-client,

sudo -iu phablet restart ubuntu-push-client

note how it connects just fine. It shouldn't! That server has a self-signed certificate, and could be anybody.

[Regression Potential]

If somebody is relying on this for something, it'll break.

Related branches

John Lenton (chipaca)
Changed in ubuntu-push:
importance: Undecided → High
John Lenton (chipaca)
information type: Public → Public Security
John Lenton (chipaca)
Changed in ubuntu-push:
assignee: nobody → John Lenton (chipaca)
John Lenton (chipaca)
Changed in ubuntu-push:
status: New → Fix Committed
Changed in ubuntu:
status: New → In Progress
importance: Undecided → High
assignee: nobody → John Lenton (chipaca)
John Lenton (chipaca)
affects: ubuntu → ubuntu-push (Ubuntu)
John Lenton (chipaca)
description: updated
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello John, or anyone else affected,

Accepted ubuntu-push into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/ubuntu-push/0.2.1+14.04.20140423.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ubuntu-push (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Lucio Torre (lucio.torre) wrote :

verified with http://ports.ubuntu.com/pool/universe/u/ubuntu-push/ubuntu-push-client_0.2.1+14.04.20140423.1-0ubuntu1_armhf.deb

Output while trying to connect is:
2014/04/24 13:10:15.746774 DEBUG trying to connect to: 192.168.3.10:9090
2014/04/24 13:10:15.765452 ERROR unable to start: write version: x509: certificate signed by unknown authority

Revision history for this message
Lucio Torre (lucio.torre) wrote :

desktop $ adb push server/acceptance/ssl/testing.cert /tmp/
phablet $ /usr/lib/ubuntu-push-client/ubuntu-push-client -cert_pem_file=/tmp/testing.cert

2014/04/24 13:13:34.683230 INFO Sending 'connected'.
2014/04/24 13:13:34.686282 DEBUG trying to connect to: 192.168.3.10:9090
2014/04/24 13:13:34.764995 DEBUG Connected 192.168.3.10:9090.
2014/04/24 13:13:34.767802 DEBUG Session connected after 1 attempts

So it now can connect with a proper cert.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-push - 0.2.1+14.04.20140423.1-0ubuntu1

---------------
ubuntu-push (0.2.1+14.04.20140423.1-0ubuntu1) trusty; urgency=high

  [ Samuele Pedroni ]
  * gave the client the ability to get config from commandline
    ( => easier automated testing) (LP: #1311600)

  [ John Lenton ]
  * Ensure ubuntu-push-client is the only one running in the session.
    (LP: #1309432)
  * Remove supurious numbers in brackets in notifications. (LP: #1308145)
  * Check the server certificate and server name. (LP: #1297969)
  * Loop whoopsie_identifier_generate until it starts working. (LP: #1309237)
  * In the session: set a flag on connect, clear it on successfully
    replying to ping or broadcast messages, check it at the top of
    autoredial. Also track the last autoredial, and set the delay flag if
    autoredial is re-called too quickly. (LP: #1309231)
 -- Ubuntu daily release <email address hidden> Wed, 23 Apr 2014 11:54:00 +0000

Changed in ubuntu-push (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of the Stable Release Update for ubuntu-push has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-push - 0.2.1+14.04.20140423.1-0ubuntu1

---------------
ubuntu-push (0.2.1+14.04.20140423.1-0ubuntu1) trusty; urgency=high

  [ Samuele Pedroni ]
  * gave the client the ability to get config from commandline
    ( => easier automated testing) (LP: #1311600)

  [ John Lenton ]
  * Ensure ubuntu-push-client is the only one running in the session.
    (LP: #1309432)
  * Remove supurious numbers in brackets in notifications. (LP: #1308145)
  * Check the server certificate and server name. (LP: #1297969)
  * Loop whoopsie_identifier_generate until it starts working. (LP: #1309237)
  * In the session: set a flag on connect, clear it on successfully
    replying to ping or broadcast messages, check it at the top of
    autoredial. Also track the last autoredial, and set the delay flag if
    autoredial is re-called too quickly. (LP: #1309231)
 -- Ubuntu daily release <email address hidden> Wed, 23 Apr 2014 11:54:00 +0000

Changed in ubuntu-push (Ubuntu):
status: In Progress → Fix Released
John Lenton (chipaca)
Changed in ubuntu-push:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.