incomplete SSL certificate verify
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tnftp (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi developers:
We made a large scale security static analysis on several open source projects, and found some mistakes in tnftp-20130505. In the @src/ssl.c:555:
void * fetch_start_ssl(int sock)
{
[...]
ctx = SSL_CTX_
SSL_CTX_
ssl = SSL_new(ctx);
if (ssl == NULL){
fprintf(ttyout, "SSL context creation failed\n");
SSL_CTX_
return NULL;
}
SSL_set_fd(ssl, sock);
while ((ret = SSL_connect(ssl)) == -1)
[...]
cert = SSL_get_
[...]
}
We find that you use SSL_get_
information type: | Private Security → Public |
tnftp 20230409's ChangeLog has "Support SSL certificate validation by default."