[Bug 761503] New: claws-mail must not include own certificate bundle
https://bugzilla.novell.com/show_bug.cgi?id=761503 https://bugzilla.novell.com/show_bug.cgi?id=761503#c0 Summary: claws-mail must not include own certificate bundle Classification: openSUSE Product: openSUSE 12.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: meissner@suse.com QAContact: qa-bugs@suse.de CC: lnussel@suse.com, security-team@suse.de Found By: --- Blocker: --- claws-mail must not include its own certificate bundle, it should use the system wide ones or be fixedto use it. (the system /etc/ssl/certs/ directory) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c1
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c2
--- Comment #2 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c3
Vincent Untz
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c4
Dominique Leuenberger
certificate verification in claws-mail is broken in multiple ways
1. claws_ssl_get_cert_file() doesn't try any existing bundle file so the included bundle isn't used either
Claws has a list of paths to use (none of which we use too): const char *cert_files[]={ "/etc/pki/tls/certs/ca-bundle.crt", "/etc/certs/ca-bundle.crt", "/usr/share/ssl/certs/ca-bundle.crt", "/etc/ssl/certs/ca-certificates.crt", "/usr/local/ssl/certs/ca-bundle.crt", "/etc/apache/ssl.crt/ca-bundle.crt", "/usr/share/curl/curl-ca-bundle.crt", "/usr/share/curl/curl-ca-bundle.crt", "/usr/lib/ssl/cert.pem", NULL}; I'll extend that list for our package by adding /etc/ssl/ca-bundle.pem (This seems to be the one we use... if we want, upstream agrees to add this to their list as well, so we won't have to carry the patch forever)
2. the return value of gnutls_certificate_verify_peers2() isn't used. Instead claws always runs into the code path for self-signed certificates (ie prompts for confirm)
Will take some time together with upstream to find the best course here
3. claws does not call gnutls_x509_crt_check_hostname() which would make it prone to MITM. Due to 2) that's not a problem though.
Will take some time together with upstream to find the best course here -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c5
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c6
--- Comment #6 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c7
--- Comment #7 from Dominique Leuenberger
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c8
Dominique Leuenberger
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c9
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c10
--- Comment #10 from Dominique Leuenberger
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c11
--- Comment #11 from Dominique Leuenberger
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c12
Dominique Leuenberger
certificate verification in claws-mail is broken in multiple ways
1. claws_ssl_get_cert_file() doesn't try any existing bundle file so the included bundle isn't used either
Has been addressed by adding our path to the list
2. the return value of gnutls_certificate_verify_peers2() isn't used. Instead claws always runs into the code path for self-signed certificates (ie prompts for confirm)
Looks like an incorrect statement: gnutls_certificate_verify_peers2 'return' value is a mere success/failure value. The real result is stored in status, which is used in the next function call again. Status is passed down to ssl_certificate_check
3. claws does not call gnutls_x509_crt_check_hostname() which would make it prone to MITM. Due to 2) that's not a problem though.
Reported upstream http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2718 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c13
Ludwig Nussel
(In reply to comment #1)
certificate verification in claws-mail is broken in multiple ways
1. claws_ssl_get_cert_file() doesn't try any existing bundle file so the included bundle isn't used either
Has been addressed by adding our path to the list [...]
3. claws does not call gnutls_x509_crt_check_hostname() which would make it prone to MITM. Due to 2) that's not a problem though.
Reported upstream http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2718
As long as 3. is not fixed you should better not fix 1. in our packages either or you allow for MITM. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c14
Dominique Leuenberger
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c15
--- Comment #15 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c16
--- Comment #16 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c17
Dominique Leuenberger
participants (1)
-
bugzilla_noreply@novell.com