Ubuntu
busybox package

  1. Groovy (20.10)
  2. Bug #1879533
  3. Comment #0

Comment 0 for bug 1879533

Revision history for this message
Dimitri John Ledkov (xnox) wrote : busybox does not verify TLS connections with CONFIG_FEATURE_WGET_OPENSSL=y config option

[Impact]

 * CONFIG_FEATURE_WGET_OPENSSL=y enables https support in wget busybox applet
 * When performing https requests, it works openssl s_client and communicates with it to perform https download
 * Whilst doing so, it does not pass `-verify_return_error` option, meaning any verification errors are ignored
 * This allows https downloads to succeed without any CA certificates or validation
 * This allows MITM attacks

[Test Case]

 * Preparation: sudo apt install busybox

 * Test case: /bin/busybox wget https://untrusted-root.badssl.com/

 * Expected: download failed, like with GNU wget

$ wget https://untrusted-root.badssl.com/
--2020-05-19 18:00:38-- https://untrusted-root.badssl.com/
Resolving untrusted-root.badssl.com (untrusted-root.badssl.com)... 104.154.89.105
Connecting to untrusted-root.badssl.com (untrusted-root.badssl.com)|104.154.89.105|:443... connected.
ERROR: cannot verify untrusted-root.badssl.com's certificate, issued by ‘CN=BadSSL Untrusted Root Certificate Authority,O=BadSSL,L=San Francisco,ST=California,C=US’:
  Self-signed certificate encountered.
To connect to untrusted-root.badssl.com insecurely, use `--no-check-certificate'.

 * Observed: download success

$ /bin/busybox wget https://untrusted-root.badssl.com/
Connecting to untrusted-root.badssl.com (104.154.89.105:443)
index.html 100% |*************************************************************************************| 600 0:00:00 ETA

$ cat index.html | grep certificate
  The certificate for this site is signed using an untrusted root.

[Regression Potential]

 * The fact that /bin/busybox wget https:// succeeds without TLS verification might be relied upon. If this issue is fixed, ensure that `--no-check-certificate` is honored.

[Other Info]

 * Proposed fix

   pass `-verify_return_error` to s_client, unless `--no-check-certificate` is specified