Skip to content

Axel may not verify server certificate CN/SAN/hostname (allowing SSL interception) #262

Closed
Jason23347/axel
#1
@theopolis

Description

@theopolis

It looks like Axel's SSL's connections do not verify server certificate hostnames. To fix this the SSL context should set a certificate callback or use SSL_set1_host to set the intended hostname.

This is an issue since it uses SSL_CTX_set_default_verify_paths and loads all root authorities from the OS. See https://wiki.openssl.org/index.php/Hostname_validation for a description of this nuance with the OpenSSL APIs.

Here is potentially insecure code
https://github.com/axel-download-accelerator/axel/blob/master/src/ssl.c#L83

[...]
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
if (!conf->insecure) {
    SSL_CTX_set_default_verify_paths(ssl_ctx);
    SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
}
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);

ssl = SSL_new(ssl_ctx);
SSL_set_fd(ssl, fd);
SSL_set_tlsext_host_name(ssl, hostname);

int err = SSL_connect(ssl);
if (err <= 0) {
[...]

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions