oss-sec mailing list archives
Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol
From: John Goerzen <jgoerzen () complete org>
Date: Thu, 23 Dec 2010 11:08:48 -0600
On 12/23/2010 08:43 AM, Jan Lieskovsky wrote:
Hello Steve, vendors, two issues with security implications have been recently reported against OfflineIMAP: I), Didn't check SSL server certificate
Please note, by the way, that I am no longer OfflineIMAP maintainer; Nicolas Sebrecht, who I see CC'd, is. Since I was CC'd, I'm assuming someone is looking for some historical perspective.
This isn't recent. OfflineIMAP didn't check the certificate because it was impossible to do so in Python until Python 2.6; Python's built-in SSL API (socket.ssl) simply didn't provide any way to do it. OfflineIMAP's SSL support *significantly* predates Python 2.6 (it has been in OfflineIMAP since at least 2002). This limitation has been well and widely documented, both in OfflineIMAP and in Python. For instance, at http://docs.python.org/release/2.5/lib/module-socket.html in the description of ssl:
"Warning: This does not do any certificate verification!"So if you're going to have a list of vulnerable versions, it probably goes back all the way to 1.0.0.
It is up to you folks whether you want to issue a CVE for it or not.In my *personal* opinion, it's a little silly; you might as well issue a CVE on telnet because it is vulnerable to sniffing and MITM attacks. "Well, yes it is," you might say, "and everybody knows it is, and it's widely known, so why issue an advisory?" SSL support in OfflineIMAP provided some measure of utility to connect to servers that only accepted SSL connections, as well as some measure of making attacks more difficult. It was all that was practical in Python at the time. But I don't expect to have a voice on that now, so feel free to ignore my opinion.
That's not to say I was happy with the situation. I wasn't. But such was all that was available.
I have seen patches to address this go across the mailing list, and I'm sure Nicolas could discuss that better than I at this point, so with that I'll bow out and leave this discussion of what to do with this to the people that are involved with the project presently.
- John
Current thread:
- CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Jan Lieskovsky (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol dave b (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol John Goerzen (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Nicolas Sebrecht (Dec 23)
- Re: CVE Request -- OfflineIMAP -- 1), failed to validate remote SSL server certificate 2), allows SSLv2 protocol Johannes Stezenbach (Dec 23)