#9086 closed enhancement (fixed)
Check SSL lib for vulnerability
Reported by: | andrewz | Owned by: | nobody |
---|---|---|---|
Priority: | normal | Milestone: | R1 |
Component: | - General | Version: | R1/alpha3 |
Keywords: | SSL vulnerability | Cc: | |
Blocked By: | Blocking: | ||
Platform: | All |
Description
Verify SSL lib rejects self-signed and 3rd party certificates:
Change History (5)
comment:1 by , 12 years ago
comment:3 by , 10 years ago
That story is gone, but I would say no. PulkoMandy added support to notify the user on invalid certs in HaikuWebKit's trunk, so this can be closed.
comment:5 by , 10 years ago
This is a well-known problem with OpenSSL, if nothing special is done it will accept any certificate without checking. BSecureSocket enables certificate checking, and cals a callback when the certificate can't be validated. The default implementation of the callback is to continue anyway. Applications which need a secure connection must override the callback and act as appropriate.
Note:
See TracTickets
for help on using tickets.
This would be an app-level vulnerability, not the lib itself.