Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Axel may not verify server certificate CN/SAN/hostname (allowing SSL interception) #262

Closed
theopolis opened this issue Mar 16, 2020 · 0 comments · Fixed by Jason23347/axel#1
Labels
Milestone

Comments

@theopolis
Copy link
Contributor

It looks like Axel's SSL's connections do not verify server certificate hostnames. To fix this the SSL context should set a certificate callback or use SSL_set1_host to set the intended hostname.

This is an issue since it uses SSL_CTX_set_default_verify_paths and loads all root authorities from the OS. See https://wiki.openssl.org/index.php/Hostname_validation for a description of this nuance with the OpenSSL APIs.

Here is potentially insecure code
https://github.com/axel-download-accelerator/axel/blob/master/src/ssl.c#L83

[...]
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
if (!conf->insecure) {
    SSL_CTX_set_default_verify_paths(ssl_ctx);
    SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
}
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);

ssl = SSL_new(ssl_ctx);
SSL_set_fd(ssl, fd);
SSL_set_tlsext_host_name(ssl, hostname);

int err = SSL_connect(ssl);
if (err <= 0) {
[...]
@ismaell ismaell modified the milestones: v3.0, v2.18 Mar 17, 2020
@ismaell ismaell added the bug label Mar 17, 2020
@ismaell ismaell modified the milestones: v2.18, v2.17.8 Mar 17, 2020
davidpolverari pushed a commit to davidpolverari/axel that referenced this issue Aug 26, 2021
Add iSEC Partners hostname validation strategy.

This should support OpenSSL 1.1.0 and 0.9.8.

Fixes: axel-download-accelerator#262
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
2 participants