This repository was archived by the owner on Feb 10, 2024. It is now read-only.
This repository was archived by the owner on Feb 10, 2024. It is now read-only.
SSL: The certificate's Common Name (CN) field is not verified #524
Closed
Description
HexChat doesn't check that the server-offered certificate really corresponds to the domain name HexChat is connecting to. In other words, it will accept any certificate, as long as it is signed by one of CAs that OpenSSL trusts.
Attack example: Mallet registers a domain name super.hacker.com and obtains a valid CA-signed SSL certificate for this domain. When Alice is connecting to chat.freenode.net, Mallet MITMs the connection and supplies his own certificate to Alice. Since it is not verified that the certificate actually corresponds to chat.freenode.net, verification succeeds and the secure connection is now compromised.
Want to back this issue? Place a bounty on it! We accept bounties via Bountysource.