no SSL certificate verify
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
r-cran-rsclient (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi developers:
We made a large scale security static analysis on several open source projects, and found some mistakes in r-cran-
static int tls_upgrade(
SSL *ssl;
SSL_CTX *ctx;
if (first_tls)
init_tls();
ctx = SSL_CTX_
SSL_
c->tls = ssl = SSL_new(ctx);
c->send = tls_send;
c->recv = tls_recv;
SSL_set_fd(ssl, c->s);
/* SSL_CTX_free(ctx) // check whether this is safe - it should be since ssl has the reference ... */
return SSL_connect(ssl);
}
When finish the SSL connect, you immedicately start to execute read/write operation without verify certificate,which can lead to MITM attack and cause leakage of sensitive data.We recommand you add verify operation such as SSL_CTX_set_verify or SSL_get_
information type: | Private Security → Public |