Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWSServiceEndpoint defaults to not verifying server certificates #24

Closed
exarkun opened this issue Jan 7, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@exarkun
Copy link
Member

commented Jan 7, 2017

Given

$ openssl x509 -in server.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: OU=example, O=example, CN=example.com, ST=example, C=US/emailAddress=example@example.com, L=example
        Validity
            Not Before: Feb 12 00:31:39 2014 GMT
            Not After : Feb 12 00:31:39 2015 GMT
        Subject: OU=example, O=example, CN=example.com, ST=example, C=US/emailAddress=example@example.com, L=example
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a9:11:6a:12:1c:16:9d:15:e3:84:18:a4:ef:6e:
                    7b:b9:a3:64:d6:d9:60:f0:02:f1:c6:a8:40:2d:63:
                    52:02:f8:d8:24:f8:d0:f7:28:3a:26:56:2e:04:64:
                    f9:0c:3a:3f:b3:e8:27:33:bf:4f:8b:9f:2b:4a:a8:
                    3d:42:66:d6:31:2b:0d:15:b2:f5:e5:a5:18:b1:34:
                    82:b3:c4:08:cf:a3:c4:57:cb:5f:12:4b:29:d3:ed:
                    bb:03:00:f0:8a:7b:d8:93:22:ac:53:79:63:f2:53:
                    05:93:91:de:3e:5a:fe:66:d8:e6:d7:11:aa:07:df:
                    2b:19:b8:41:07:a0:9e:18:81
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
         58:03:4f:a6:9f:7c:e6:75:cc:a0:8c:07:96:c4:8c:9b:c8:a3:
         92:4e:d7:41:4d:e8:8a:80:98:0d:c3:3a:a4:b4:fe:9a:f0:43:
         7b:59:99:73:c9:94:96:b5:b2:66:8f:e5:4f:a1:c5:e3:84:87:
         21:9d:33:0a:03:d8:c1:3a:56:57:a0:b4:2b:ef:e4:2a:56:01:
         11:16:77:6a:3a:f3:19:fe:40:09:f5:13:37:29:39:3f:cd:42:
         eb:c9:9c:f5:f4:3b:96:1a:b5:8a:e3:4a:cd:58:7c:6f:be:3a:
         67:8b:9f:9f:a8:88:d5:5c:a0:9f:23:90:d6:16:7f:94:e5:f9:
         e9:30

and

$ twistd -n web --port ssl:12345:certKey=server.pem
2017-01-09T08:01:57-0500 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 16.4.1 (/usr/bin/python 2.7.12) starting up.
2017-01-09T08:01:57-0500 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2017-01-09T08:01:57-0500 [-] Site (TLS) starting on 12345
2017-01-09T08:01:57-0500 [twisted.web.server.Site#info] Starting factory <twisted.web.server.Site instance at 0x7f3476497cb0>

This txaws-based program:

$ cat testit.py 
from __future__ import print_function

from txaws.client.base import BaseQuery
from txaws.service import AWSServiceEndpoint

from twisted.internet.task import react

def main(reactor):
    endpoint = AWSServiceEndpoint(ssl_hostname_verification=True)
    q = BaseQuery(action=b"GET", endpoint=endpoint, reactor=reactor)
    d = q.get_page(b"https://localhost:12345/")
    d.addCallback(print)
    return d

react(main, [])

produces this result:

$ python testit.py 

            <html>
            <head><title>Twisted Web Demo</title><head>
            <body>
            Hello! This is a Twisted Web test page.
            </body>
            </html>
            

There is no way the default for txAWS HTTPS requests should be to silently allow communication with a TLS server using such a certificate (self-signed, expired, mismatching hostname).

@exarkun exarkun self-assigned this Jan 7, 2017

@exarkun exarkun changed the title security placeholder AWSServiceEndpoint defaults to not verifying server certificates Jan 9, 2017

@mithrandi mithrandi closed this in #26 Jan 9, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.