Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWSServiceEndpoint defaults to not verifying server certificates #24

Closed
exarkun opened this issue Jan 7, 2017 · 0 comments
Closed

AWSServiceEndpoint defaults to not verifying server certificates #24

exarkun opened this issue Jan 7, 2017 · 0 comments
Assignees

Comments

@exarkun
Copy link
Member

exarkun commented Jan 7, 2017

Given

$ openssl x509 -in server.pem -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1 (0x1)
    Signature Algorithm: md5WithRSAEncryption
        Issuer: OU=example, O=example, CN=example.com, ST=example, C=US/emailAddress=example@example.com, L=example
        Validity
            Not Before: Feb 12 00:31:39 2014 GMT
            Not After : Feb 12 00:31:39 2015 GMT
        Subject: OU=example, O=example, CN=example.com, ST=example, C=US/emailAddress=example@example.com, L=example
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a9:11:6a:12:1c:16:9d:15:e3:84:18:a4:ef:6e:
                    7b:b9:a3:64:d6:d9:60:f0:02:f1:c6:a8:40:2d:63:
                    52:02:f8:d8:24:f8:d0:f7:28:3a:26:56:2e:04:64:
                    f9:0c:3a:3f:b3:e8:27:33:bf:4f:8b:9f:2b:4a:a8:
                    3d:42:66:d6:31:2b:0d:15:b2:f5:e5:a5:18:b1:34:
                    82:b3:c4:08:cf:a3:c4:57:cb:5f:12:4b:29:d3:ed:
                    bb:03:00:f0:8a:7b:d8:93:22:ac:53:79:63:f2:53:
                    05:93:91:de:3e:5a:fe:66:d8:e6:d7:11:aa:07:df:
                    2b:19:b8:41:07:a0:9e:18:81
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
         58:03:4f:a6:9f:7c:e6:75:cc:a0:8c:07:96:c4:8c:9b:c8:a3:
         92:4e:d7:41:4d:e8:8a:80:98:0d:c3:3a:a4:b4:fe:9a:f0:43:
         7b:59:99:73:c9:94:96:b5:b2:66:8f:e5:4f:a1:c5:e3:84:87:
         21:9d:33:0a:03:d8:c1:3a:56:57:a0:b4:2b:ef:e4:2a:56:01:
         11:16:77:6a:3a:f3:19:fe:40:09:f5:13:37:29:39:3f:cd:42:
         eb:c9:9c:f5:f4:3b:96:1a:b5:8a:e3:4a:cd:58:7c:6f:be:3a:
         67:8b:9f:9f:a8:88:d5:5c:a0:9f:23:90:d6:16:7f:94:e5:f9:
         e9:30

and

$ twistd -n web --port ssl:12345:certKey=server.pem
2017-01-09T08:01:57-0500 [twisted.scripts._twistd_unix.UnixAppLogger#info] twistd 16.4.1 (/usr/bin/python 2.7.12) starting up.
2017-01-09T08:01:57-0500 [twisted.scripts._twistd_unix.UnixAppLogger#info] reactor class: twisted.internet.epollreactor.EPollReactor.
2017-01-09T08:01:57-0500 [-] Site (TLS) starting on 12345
2017-01-09T08:01:57-0500 [twisted.web.server.Site#info] Starting factory <twisted.web.server.Site instance at 0x7f3476497cb0>

This txaws-based program:

$ cat testit.py 
from __future__ import print_function

from txaws.client.base import BaseQuery
from txaws.service import AWSServiceEndpoint

from twisted.internet.task import react

def main(reactor):
    endpoint = AWSServiceEndpoint(ssl_hostname_verification=True)
    q = BaseQuery(action=b"GET", endpoint=endpoint, reactor=reactor)
    d = q.get_page(b"https://localhost:12345/")
    d.addCallback(print)
    return d

react(main, [])

produces this result:

$ python testit.py 

            <html>
            <head><title>Twisted Web Demo</title><head>
            <body>
            Hello! This is a Twisted Web test page.
            </body>
            </html>
            

There is no way the default for txAWS HTTPS requests should be to silently allow communication with a TLS server using such a certificate (self-signed, expired, mismatching hostname).

@exarkun exarkun self-assigned this Jan 7, 2017
@exarkun exarkun changed the title security placeholder AWSServiceEndpoint defaults to not verifying server certificates Jan 9, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant