oss-sec mailing list archives
Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug
From: Steffen Ullrich <Steffen_Ullrich () genua de>
Date: Mon, 31 Aug 2009 18:06:30 +0200
On Mon, Aug 31, 2009 at 05:23:53PM +0200, Tomas Hoger <thoger () redhat com> wrote:
On Sat, 29 Aug 2009 20:45:53 +0200 Steffen Ullrich <Steffen_Ullrich () genua de> wrote:- the feature to help checking the hostname against the certificate is fairly newIntroduced in 1.14, unless I'm mistaken: http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.14/Changes It may be good to have this listed in the CVE description.
yes, this is a good idea. The version 1.14 was released 2008/07/16 and the necessary Net::SSLeay version 1.34 (which is needed for this feature) was release 2008/07/24.
Anyway, prefix requirement is another mitigation, as one may not be able to get valid certificate for a prefix of arbitrary host name (though it may be easier for TLDs as .com and .net via .co and .ne). Speaking of prefixes, has anyone checked IO-Socket-SSL for CVE-2009-2408-like issues? If there is an issues, should it get fixed in IO-Socket-SSL or in Net-SSLeay?
I did not check it yet. If there is a problem it has to be fixed in Net::SSLeay, IO::Socket::SSL is perl only and perl itself has no problems with strings containing \0.
From the code in SSLeay.xs X509_get_subjectAltNames I would say, that
this part should be no problem, because it explicitly uses ASN1_STRING_length to specify the length of the string. But I'm not sure about the use of X509_get_subject_name where it magically converts an X509_NAME* into a perl string. I keep you updated once I've checked it. Regards, Steffen -- GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999 Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht München HRB 98238
Current thread:
- CVE request: perl-IO-Socket-SSL certificate hostname compare bug Ludwig Nussel (Aug 28)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 31)
- Re: Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Tomas Hoger (Aug 31)
- Re: CVE request: perl-IO-Socket-SSL certificate hostname compare bug Steffen Ullrich (Aug 29)