[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: wget certificate verification concerns
From: Scott Court <z5t1 () z5t1 ! com>
Date: 2020-06-27 13:58:07
Message-ID: 213eebb2-cd4d-7fb9-b519-8954e9562c05 () Z5T1 ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
[Attachment #6 (multipart/alternative)]
Regarding the patch I submitted yesterday, I apologize I was
inadvertently on the wrong branch and I see now that this issue has
already been addressed on master and in the 1.32 unstable release in
commit 45fa3f1. I have been looking at the changes introduced in that
commit, and I have a few concerns:
1. OpenSSL's s_client doesn't appear to exit with an error if just the
`-verify_return_error` flag is used. I've tested this on BusyBox
1.32 with OpenSSL 1.0.2u and LibreSSL 3.1.3 and am still able to
`wget https://expired.badssl.com` without getting an error. To cause
s_client to abort with an error, it is necessary to also use the
`-verify 100` flag. Further reading on this is available at
https://www.vdoo.com/ja/blog/busybox-wget-case.
2. Even with the `-verify 100 -verify_return_error` flags, OpenSSL does
not verify that the certificate is valid for the requested hostname.
For hostname verification to work, it is necessary to use
`-verify_hostname <hostname>` for hostname based requests or
`-verify-ip` for IP address based requests.
3. The `-verify_return_error` flag gets added in argv[7]. If the end
user uses wget on an IP address rather than a hostname, argv[5] and
argv[6] will remain set to null, causing execvp not to pass any
arguments after argv[4] to s_client and resulting in no check being
performed.
[Attachment #9 (text/html)]
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Regarding the patch I submitted yesterday, I apologize I was
inadvertently on the wrong branch and I see now that this issue
has already been addressed on master and in the 1.32 unstable
release in commit 45fa3f1. I have been looking at the changes
introduced in that commit, and I have a few concerns:</p>
<ol>
<li>OpenSSL's s_client doesn't appear to exit with an error if
just the `-verify_return_error` flag is used. I've tested this
on BusyBox 1.32 with OpenSSL 1.0.2u and LibreSSL 3.1.3 and am
still able to `wget <a class="moz-txt-link-freetext" \
href="https://expired.badssl.com">https://expired.badssl.com</a>` without getting an \
error. To cause s_client to abort with an error, it is necessary to also use the \
`-verify 100` flag. Further reading on this is available at
<a class="moz-txt-link-freetext" \
href="https://www.vdoo.com/ja/blog/busybox-wget-case">https://www.vdoo.com/ja/blog/busybox-wget-case</a>.<br>
</li>
<li>Even with the `-verify 100 -verify_return_error` flags,
OpenSSL does not verify that the certificate is valid for the
requested hostname. For hostname verification to work, it is
necessary to use `-verify_hostname <hostname>` for
hostname based requests or `-verify-ip` for IP address based
requests.</li>
<li>The `-verify_return_error` flag gets added in argv[7]. If the
end user uses wget on an IP address rather than a hostname,
argv[5] and argv[6] will remain set to null, causing execvp not
to pass any arguments after argv[4] to s_client and resulting in
no check being performed.<br>
</li>
</ol>
</body>
</html>
["signature.asc" (application/pgp-signature)]
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic