Closed
Description
It looks like Axel's SSL's connections do not verify server certificate hostnames. To fix this the SSL context should set a certificate callback or use SSL_set1_host to set the intended hostname.
This is an issue since it uses SSL_CTX_set_default_verify_paths and loads all root authorities from the OS. See https://wiki.openssl.org/index.php/Hostname_validation for a description of this nuance with the OpenSSL APIs.
Here is potentially insecure code
https://github.com/axel-download-accelerator/axel/blob/master/src/ssl.c#L83
[...]
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
if (!conf->insecure) {
SSL_CTX_set_default_verify_paths(ssl_ctx);
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
}
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
ssl = SSL_new(ssl_ctx);
SSL_set_fd(ssl, fd);
SSL_set_tlsext_host_name(ssl, hostname);
int err = SSL_connect(ssl);
if (err <= 0) {
[...]