Opened 11 years ago

Closed 9 years ago

Last modified 9 years ago

#9086 closed enhancement (fixed)

Check SSL lib for vulnerability

Reported by: andrewz Owned by: nobody
Priority: normal Milestone: R1
Component: - General Version: R1/alpha3
Keywords: SSL vulnerability Cc:
Blocked By: Blocking:
Platform: All

Description

Verify SSL lib rejects self-signed and 3rd party certificates:

http://threatpost.com/en_us/blogs/ssl-vulnerabilities-found-critical-non-browser-software-packages-102512

Change History (5)

comment:1 by anevilyak, 11 years ago

This would be an app-level vulnerability, not the lib itself.

comment:2 by diver, 9 years ago

Is this still relevant then?

comment:3 by waddlesplash, 9 years ago

That story is gone, but I would say no. PulkoMandy added support to notify the user on invalid certs in HaikuWebKit's trunk, so this can be closed.

comment:4 by diver, 9 years ago

Resolution: fixed
Status: newclosed

Ok, thanks!

comment:5 by pulkomandy, 9 years ago

http://web.archive.org/web/20121127051829/http://threatpost.com/en_us/blogs/ssl-vulnerabilities-found-critical-non-browser-software-packages-102512

This is a well-known problem with OpenSSL, if nothing special is done it will accept any certificate without checking. BSecureSocket enables certificate checking, and cals a callback when the certificate can't be validated. The default implementation of the callback is to continue anyway. Applications which need a secure connection must override the callback and act as appropriate.

Note: See TracTickets for help on using tickets.