The function initiate_connection achieve SSL connect. When finish
connection , you immedicately start to execute read/write operation without
verify certificate,which can lead to MITM attack and cause leakage of
sensitive data.We have built the test environment to prove such attack can
occur.We recommand you add verify operation such as SSL_CTX_set_verify or
SSL_get_peer_certificate to guarantee the security.
We have proved the MITM attack can occur.This bug report has sent to
upstream developer and we are waiting the report from them.
> To be clear, this bug is in example code to demonstrate how one uses
> libnghttp2, not in any actual libnghttp2 code.
>
> The upstream developer Tatsuhiro Tsujikawa (offlist) said:
>
> > Thank you for the security analysis.
> > examples/client.c is an example program to show how to use libnghttp2,
> and we made it intentionally simple.
> > In addition, since developers often use self-signed certificates for
> developments, we omitted any verification after handshake. We never expect
> to see this as used in production scenario.
>
> Ruan, I believe the upstream developer is waiting on you to respond with
> how you would like them to proceed: either a block comment or removal of
> the example code.
>
> ** Changed in: nghttp2 (Ubuntu)
> Status: Confirmed => Invalid
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677958
>
> Title:
> no SSL certificate verify
>
> Status in nghttp2 package in Ubuntu:
> Invalid
>
> Bug description:
> Hi developers:
> We made a large scale security static analysis on several open
> source projects, and found some mistakes in nghttp2 1.7.1. In the
> @example/client.c:539:
> static void fetch_uri(const struct URI *uri) {
> {
> [...]
> ssl_ctx = SSL_CTX_new(SSLv23_client_method());
> if (ssl_ctx == NULL) {
> dief("SSL_CTX_new", ERR_error_string(ERR_get_error(), NULL));
> }
> init_ssl_ctx(ssl_ctx);
> ssl = SSL_new(ssl_ctx);
> if (ssl == NULL) {
> dief("SSL_new", ERR_error_string(ERR_get_error(), NULL));
> }
> /* To simplify the program, we perform SSL/TLS handshake in blocking
> I/O. */
> ssl_handshake(ssl, fd);
> [...]
> }
>
> The function ssl_handshake(ssl, fd) achieve SSL_connect(ssl). When
> finish the SSL connect, you immedicately start to execute read/write
> operation without verify certificate,which can lead to MITM attack and
> cause leakage of sensitive data.We recommand you add verify operation
> such as SSL_CTX_set_verify or SSL_get_peer_certificate to guarantee
> the security.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/nghttp2/+bug/
> 1677958/+subscriptions
>
Nowadays We find in nghttp2-client there exists other bug . :initiate_ connection( )
In @src/nghttp.cc:
int HttpClient:
{ set_fd( ssl.fd) ; set_connect_ state(ssl) ;
[...]
ssl = SSL_new(ssl_ctx);
[...]
SSL_
SSL_
[...]
writefn = &HttpClient: :connected;
}
The function initiate_connection achieve SSL connect. When finish peer_certificat e to guarantee the security.
connection , you immedicately start to execute read/write operation without
verify certificate,which can lead to MITM attack and cause leakage of
sensitive data.We have built the test environment to prove such attack can
occur.We recommand you add verify operation such as SSL_CTX_set_verify or
SSL_get_
We have proved the MITM attack can occur.This bug report has sent to
upstream developer and we are waiting the report from them.
2017-05-17 1:48 GMT+08:00 Nish Aravamudan <email address hidden>:
> To be clear, this bug is in example code to demonstrate how one uses /bugs.launchpad .net/bugs/ 1677958 client. c:539: new(SSLv23_ client_ method( )); string( ERR_get_ error() , NULL)); ctx(ssl_ ctx); string( ERR_get_ error() , NULL)); peer_certificat e to guarantee /bugs.launchpad .net/ubuntu/ +source/ nghttp2/ +bug/ +subscriptions
> libnghttp2, not in any actual libnghttp2 code.
>
> The upstream developer Tatsuhiro Tsujikawa (offlist) said:
>
> > Thank you for the security analysis.
> > examples/client.c is an example program to show how to use libnghttp2,
> and we made it intentionally simple.
> > In addition, since developers often use self-signed certificates for
> developments, we omitted any verification after handshake. We never expect
> to see this as used in production scenario.
>
> Ruan, I believe the upstream developer is waiting on you to respond with
> how you would like them to proceed: either a block comment or removal of
> the example code.
>
> ** Changed in: nghttp2 (Ubuntu)
> Status: Confirmed => Invalid
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> no SSL certificate verify
>
> Status in nghttp2 package in Ubuntu:
> Invalid
>
> Bug description:
> Hi developers:
> We made a large scale security static analysis on several open
> source projects, and found some mistakes in nghttp2 1.7.1. In the
> @example/
> static void fetch_uri(const struct URI *uri) {
> {
> [...]
> ssl_ctx = SSL_CTX_
> if (ssl_ctx == NULL) {
> dief("SSL_CTX_new", ERR_error_
> }
> init_ssl_
> ssl = SSL_new(ssl_ctx);
> if (ssl == NULL) {
> dief("SSL_new", ERR_error_
> }
> /* To simplify the program, we perform SSL/TLS handshake in blocking
> I/O. */
> ssl_handshake(ssl, fd);
> [...]
> }
>
> The function ssl_handshake(ssl, fd) achieve SSL_connect(ssl). When
> finish the SSL connect, you immedicately start to execute read/write
> operation without verify certificate,which can lead to MITM attack and
> cause leakage of sensitive data.We recommand you add verify operation
> such as SSL_CTX_set_verify or SSL_get_
> the security.
>
> To manage notifications about this bug go to:
> https:/
> 1677958/
>