[Bug 496385] New: gnutls-cli fails to verify certificate name
http://bugzilla.novell.com/show_bug.cgi?id=496385 Summary: gnutls-cli fails to verify certificate name Classification: openSUSE Product: openSUSE 11.0 Version: Final Platform: All OS/Version: All Status: NEW Severity: Critical Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: matthias.andree@gmx.de QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729) (flagged this bug "critical" as it can cause sensitive information to leak to untrusted computers) gnutls-cli version 2.2.2 does not verify if the certificate's CommonName matches the actual server name given on the command line; for instance: wget http://www.pki.dfn.de/fileadmin/PKI/zertifikate/deutsche-telekom-root-ca-2.p... gnutls-cli --x509cafile deutsche-telekom-root-ca-2.pem -p 443 svn-serv2.cs.uni-paderborn.de (svn-serv2.cs... may have disappeared when this report is read; the certificate has CN=svn-serv.cs... without the "2".) Please consider backporting a newer gnutls-cli version or patching the existing one if that would introduce incompatibilities. Reproducible: Always Steps to Reproduce: Install gnutls-2.2.2-17.2 on openSUSE 11.0, then run the wget and gnutls-cli commands above. Actual Results: GnuTLS-cli 2.2.2 yields: - Certificate[0] info: # The hostname in the certificate does NOT match 'svn-serv2.cs.uni-paderborn.de'. # valid since: Tue Jan 6 14:47:33 CET 2009 # expires at: Sun Jan 5 14:47:33 CET 2014 # fingerprint: DA:FE:F6:12:29:99:CC:CE:D3:CD:E6:94:4B:C9:BE:52 # Subject's DN: C=DE,ST=Nordrhein-Westfalen,L=Paderborn,O=Universitaet Paderborn,OU=IRB (Informatik Rechner Betriebsgruppe),CN=svn-serv.cs.uni-paderborn.de # Issuer's DN: C=DE,O=Universitaet Paderborn,OU=IMT (Zentrum fuer Informations- und Medientechnologien),CN=Universitaet Paderborn CA - G01,EMAIL=ca@uni-paderborn.de but continues through to: - Peer's certificate is trusted which is false - see the "does NOT match" line above. Note that I did not allow --insecure via command line switch. Expected Results: GnuTLS-cli _MUST_ !!! refuse the connection. This appears fixed in a later version (2.4.1 on openSUSE 11.1). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 Zheng Chen <zchen@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |zchen@novell.com AssignedTo|bnc-team-screening@forge.pr |gjhe@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 User thoger@pobox.sk added comment http://bugzilla.novell.com/show_bug.cgi?id=496385#c1 Tomas Hoger <thoger@pobox.sk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |thoger@pobox.sk --- Comment #1 from Tomas Hoger <thoger@pobox.sk> 2009-04-21 02:01:31 MDT --- Check has been added upstream in: http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=a0e582d0c183dfad274a8... -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Summary|gnutls-cli fails to verify |VUL-0: gnutls-cli fails to |certificate name |verify certificate name Severity|Critical |Major -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 User swamp@suse.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496385#c2 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:24176 --- Comment #2 from Swamp Workflow Management <swamp@suse.com> 2009-04-21 08:40:50 MDT --- The SWAMPID for this issue is 24176. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/24176) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 User thomas@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496385#c3 --- Comment #3 from Thomas Biege <thomas@novell.com> 2009-04-22 01:36:58 MDT --- What is the use-case for this tool? Do we have important scripts/YaST that uses this tool to fullfil its work? Maybe we can postpone this update. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 User matthias.andree@gmx.de added comment http://bugzilla.novell.com/show_bug.cgi?id=496385#c4 --- Comment #4 from Matthias Andree <matthias.andree@gmx.de> 2009-04-22 05:55:54 MDT --- Postpone fixes to data hijacking bugs? Why? As to the use case: gnutls-cli can be used as SSL/TLS/STARTTLS connection wrapper and is preconfigured for the popular flexible and powerful "Gnus" mail and news package that ships as part of Emacs -- the openssl s_client fallback is even worse -- but at least the latter is documented that way, namely a debug tool. If this issue remains unfixed, any site with a valid certificate can impersonate another site and gnutls-cli will happily continue, and Emacs/Gnus will happily send cleartext passwords to eavesdroppers... that's not any better than code injection. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 Matthias Andree <matthias.andree@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Found By|--- |Community User -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 User thomas@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496385#c5 Thomas Biege <thomas@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 - Medium |P4 - Low Summary|VUL-0: gnutls-cli fails to |gnutls-cli fails to verify |verify certificate name |certificate name Severity|Major |Minor --- Comment #5 from Thomas Biege <thomas@novell.com> 2009-04-23 07:48:59 MDT --- Hello Matthias, you are right; indeed it seems only Gnus, the news/mail reader, uses gnutls-cli. A man-in-the-middle attack on plaintext information that is routed over potentially untrusted servers and only affects one client is reason enough to fix it as part of another gnutls update and effectivly use our QA resources. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:24176 |maint:running:24176 | |maint:planned:update -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 User swamp@suse.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496385#c7 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:24176 |maint:running:24176 |maint:planned:update |maint:running:24398 --- Comment #7 from Swamp Workflow Management <swamp@suse.com> 2009-05-04 08:37:03 MDT --- The SWAMPID for this issue is 24398. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/24398) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 User gjhe@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496385#c8 --- Comment #8 from Guanjun He <gjhe@novell.com> 2009-05-07 01:17:54 MDT --- patch submitted to opensuse11.0 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 User gjhe@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496385#c9 Guanjun He <gjhe@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #9 from Guanjun He <gjhe@novell.com> 2009-05-07 02:07:03 MDT --- fixed. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 User swamp@suse.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496385#c10 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:24176 |maint:running:24176 |maint:running:24398 |maint:running:24398 | |maint:released:11.0:24467 --- Comment #10 from Swamp Workflow Management <swamp@suse.com> 2009-05-08 00:41:43 MDT --- Update released for: gnutls, libgnutls-devel, libgnutls-extra-devel, libgnutls-extra26, libgnutls26 Products: openSUSE 11.0 (debug, i386, ppc, ppc64, x86_64) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:24176 |maint:running:24176 |maint:running:24398 | |maint:released:11.0:24467 | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=496385 User kgw@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=496385#c11 --- Comment #11 from Klaus Wagner <kgw@novell.com> 2009-09-04 05:03:53 MDT --- Pointer to bug 536809 regarding SLE-10 and SLE-9 gnutls being affected by (apparently) the same issue. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com