Disabled SSL certificate verify

Bug #1677511 reported by Ruan Linqi on 2017-03-30
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libstrophe (Ubuntu)
Undecided
Unassigned

Bug Description

Hi developers:
    We made a large scale security static analysis on several open source projects, and found some mistakes in libstrophe-0.8.8. In the @src/Tls_openssl.c:68:
   tls_t *tls_new(xmpp_ctx_t *ctx, sock_t sock)
{
    tls_t *tls = xmpp_alloc(ctx, sizeof(*tls));

    if (tls) {
        int ret;
 memset(tls, 0, sizeof(*tls));

 tls->ctx = ctx;
 tls->sock = sock;
 tls->ssl_ctx = SSL_CTX_new(SSLv23_client_method());

 SSL_CTX_set_client_cert_cb(tls->ssl_ctx, NULL);
 SSL_CTX_set_mode (tls->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
 SSL_CTX_set_verify (tls->ssl_ctx, SSL_VERIFY_NONE, NULL);

 tls->ssl = SSL_new(tls->ssl_ctx);

 [..]
}

  The parameter SSL_VERIFY_NONE here can not configure this built-in certificate validation,so the handshake can continue even the cert is invalid.We recommand you use SSL_VERIFY_PEER to guarantee the security.

information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers