New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gobby seems to silently accept expired certificates #61
Comments
|
Right, so the expected result is a straight rejection of the certificate, without allowing the user to accept it anyway. I changed this between 0.4.94 and 0.5.0. I'll see if I can reproduce this, but we should definitely also add some unit tests for certificate verification... |
|
This is fixed in libinfinity, in the master and libinfinity-0.6 branches. I also added a unit test for this case and hope to add more certificate validation tests later. I plan to make a libinfinity-0.6 bugfix release tomorrow. |
|
Does this also apply to the 0.5.x branch of libinfinity? From what I see, the code is rather different there. |
|
No, this does not apply to 0.5.x. The code was indeed changed between 0.5 and 0.6, to make certificate pinning more SSH-like. For example, if a host has a self-signed certificate, with 0.5.x you would be asked at every connection attempt whether to actually connect, while with 0.6.x you are only asked the first time as long as that host shows you the same certificate every time. The bug was introduced as a result of this change. By the way, libinfinity master has now also certificate validation tests for several other cases of valid or invalid certificates, not only expiration. So I hope this does not happen again next time the validation code is refactored :) |
|
For reference: This has been assigned CVE-2015-3886. |
Debian bug #783601 reported that gobby silently accepts expired certificates. The mentioned site has since been fixed and I'm unsure if that'd be due to pinning or if there's a genuine validation error. (But then the function in libinfinity doesn't seem to tolerate expiry not even with pinning AFAICS.) The report in full:
The text was updated successfully, but these errors were encountered: