Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CACYkhxisoBR8jBDhvk8_eAJJ8iG1n5t2mnas_u_skwCtEbuf=w@mail.gmail.com>
Date: Thu, 12 Mar 2015 10:44:58 +1100
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Subject: Re: Another Python app (rhn-setup: rhnreg_ks) not
 checking hostnames in certs properly CVE-2015-1777

On 12 March 2015 at 02:48, Kurt Seifried <kseifried@...hat.com> wrote:

> Much like /tmp issues the solution that will save us is not to fix every
> /tmp issue but rather do more intelligent things like poly instantiated
> tmp or systemd per process tmp. Sadly I don't see such an easy
> possibility with TLS/SSL, but if we have a decent test
> framework/reproduction ability it will make finding, fixing and
> verifying these things a whole lot easier long term.

You can test for the common bugs extremely easily - you need two types of
bogus certificate installed on the server:
- A completely untrusted (eg. self-signed) certificate
- A certificate signed by a trusted authority but for the wrong hostname

It's not too hard to test SSH connections in a similar manner (just regen the
ssh host keys after the first connection).

Alternatively, you could make your OpenSSL modules for various languages
return client ctxs that verify by default - the topic of this discussion :)

Regards,
  Michael

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.