Opened 6 years ago

Closed 4 years ago

Last modified 4 years ago

#9086 closed enhancement (fixed)

Check SSL lib for vulnerability

Reported by: andrewz Owned by: nobody
Priority: normal Milestone: R1
Component: - General Version: R1/alpha3
Keywords: SSL vulnerability Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

Change History (5)

comment:1 Changed 6 years ago by anevilyak

This would be an app-level vulnerability, not the lib itself.

comment:2 Changed 4 years ago by diver

Is this still relevant then?

comment:3 Changed 4 years ago by waddlesplash

That story is gone, but I would say no. PulkoMandy added support to notify the user on invalid certs in HaikuWebKit's trunk, so this can be closed.

comment:4 Changed 4 years ago by diver

Resolution: fixed
Status: newclosed

Ok, thanks!

comment:5 Changed 4 years ago by pulkomandy

http://web.archive.org/web/20121127051829/http://threatpost.com/en_us/blogs/ssl-vulnerabilities-found-critical-non-browser-software-packages-102512

This is a well-known problem with OpenSSL, if nothing special is done it will accept any certificate without checking. BSecureSocket enables certificate checking, and cals a callback when the certificate can't be validated. The default implementation of the callback is to continue anyway. Applications which need a secure connection must override the callback and act as appropriate.

Note: See TracTickets for help on using tickets.