Re: Gajim fails to handle invalid certificates

[Kurt Seiifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/10/2012 09:02 PM, y33t wrote:
> Gajim does not seem to properly handle invalid/broken/expired 
> certificates. The _ssl_verify_callback function in tls_nb.py is
> called by OpenSSL for every certificate in the certificate chain
> (CA first, server certificate last) but always return True whether
> an error was encountered or not.
>
> This forces OpenSSL to verify each certificate until none is left,
> at which points it will call _ssl_verify_callback one last time
> with an error number of 0.
>
> (This behavior is documented here:  man 3 SSL_CTX_set_verify "If
> verify_callback returns 1, the verification process is continued.
> If verify_callback always returns 1, the TLS/SSL handshake will not
> be terminated with respect to verification failures and the
> connection will be established." And can be observed in function
> crypto/x509/x509_vfy.c:internal_verify() in OpenSSL source code.)
>
> _ssh_verify_callback only stores the last error code, which always
> is 0 unless an error was encountered in the deepest level of the
> chain (the CA), so gajim will not warn as long as the CA is
> recognized.
>
>
> (...)
>
> This problem goes beyond expired certificates. It is also possible
> to edit any existing and valid server certificate by changing the
> CN manually. The certificate's signature will be become invalid and
> OpenSSL will detect it and return errnum 7 ("Certificate signature
> failure") but gajim will not warn and will proceed with the
> connection anyway...
>
>
> References: https://trac.gajim.org/ticket/7252

So do we consider this to be an OpenSSL issue of gajim? I'm sure gajim
is not the only program that does something like this.



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQo0YLAAoJEBYNRVNeJnmTu3MQAI3+hlMRTPjdJzUnm/ymKK6N
pqlerX9VVxyHWuW8pPqTZqAUpENLMErHTaNEPp2bLYv63zYvmibKcGMqwH4s/rrM
SvaxFrlZxJvaw8vCx5c046lDiH5DhjhUkQW/kriR7zdXzvxDwt/ZyfLu92LSQ7VR
ahoEYcyTZEEBZpi11ZyPt6N2iqeHRpngMXFtCztiBcyMTzKiscQ9gwgGSVOe8Owg
WopP35XgaxwohzIgzV4yF7ydff+/fZ/TFY2Y5Wl2iXs9LzgwHxVftfjVuoAI9A0q
amYG15i2BfrHzkqqToenAJv/mrraGUg7972rgDGNayU+DQr3IllaY4kSa711rB+J
vK6TWbQT5nIEnOCxsCHJRlrIAZfI727dvBPr7gapIafYw2EYInRHkfRJIwRVggAt
zwYDEW8cEkGnkUxg85OGJhPUU8uVVa9oKOjdDCeaGLhdYYC4j49kRJefRHX4sUHa
OPhJF61aeZOTR7q39gbdmjYerkrbW2XDwo/18aM8Brf6Q0hSPyq380D2/1Fh4cRb
HHsmWqPTP7S/16jUN9oePNR1/lj2u/kz+GlQlyfoNoXT2gknLOeRnVGnvofUDT4U
81qjpbdecoLCKJyHWMjQ1WCLnm21mu8FQTTxBfjOoj0lAbFcZH4Eps/VZBLWFj0N
EZZnSNg788Lgek8lxl09
=2ckv
-----END PGP SIGNATURE-----