Re: Bug#590873: openconnect < 2.25 does not verify SSL server certificates

To: 590873@bugs.debian.org
Cc: debian-release@lists.debian.org
Subject: Re: Bug#590873: openconnect < 2.25 does not verify SSL server certificates
From: Dominic Hargreaves <dom@earth.li>
Date: Sun, 15 Aug 2010 16:13:08 +0100
Message-id: <[🔎] 20100815151308.GI547@urchin.earth.li>
Reply-to: 590873@bugs.debian.org
In-reply-to: <alpine.DEB.2.00.1007291535200.14251@dr-wily.mit.edu>
References: <alpine.DEB.2.00.1007291535200.14251@dr-wily.mit.edu>

On Thu, Jul 29, 2010 at 03:45:55PM -0400, Anders Kaseorg wrote:

> Versions of OpenConnect before 2.25 do not verify that the server SSL 
> certificate matches the server hostname, which enables an attacker to 
> perform an MITM attack on the connection.  This can be fixed by upgrading 
> to OpenConnect 2.25.
> 
> From the upstream changelog:
> 
> OpenConnect v2.25 — 2010-05-15
> • Always validate server certificate, even when no extra --cafile is 
>   provided.
> • Add --no-cert-check option to avoid certificate validation.
> • Check server hostname against its certificate.
> • Provide text-mode function for reviewing and accepting "invalid" 
>   certificates.
> • Fix libproxy detection on NetBSD.

To the untrained eye, the diff between
6732c0e8ccb4d57d6a970973f994a9d2d3509def
and
3b2738befa7fe934d0d55b77fe1fcf28aafbe424

in upstream git is what's required for this, but the patch would need
a bit of work to apply cleanly. Note also that there
are some memory leaks fixed in 2.25 which might be a good idea to fix
too.

Given all this, might the best idea be allow an exception for the 
new upstream? The full changelog is:

     * OpenConnect v2.25 -- 2010-05-15
          + Always validate server certificate, even when no extra
            --cafile is provided.
          + Add --no-cert-check option to avoid certificate validation.
          + Check server hostname against its certificate.
          + Provide text-mode function for reviewing and accepting
            "invalid" certificates.
          + Fix libproxy detection on NetBSD.
     * OpenConnect v2.24 -- 2010-05-07
          + Forget preconfigured password after a single attempt; don't
            retry infinitely if it's failing.
          + Set $CISCO_BANNER environment variable when running script.
          + Better handling of passphrase failure on certificate files.
          + Fix NetBSD build (thanks to Pouya D. Tafti).
          + Fix DragonFly BSD build.
     * OpenConnect v2.23 -- 2010-04-09
          + Support "Cisco Secure Desktop" trojan in NetworkManager
            auth-dialog.
          + Support proxy in NetworkManager auth-dialog.
          + Add --no-http-keepalive option to work around Cisco's
            incompetence.
          + Fix build on Debian/kFreeBSD.
          + Fix crash on receiving HTTP 404 error.
          + Improve workaround for server certificates lacking SSL_SERVER
            purpose, so that it also works with OpenSSL older than 0.9.8k.

And upstream git doesn't appear to have any subsequent regression
fixes.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

Reply to:

Follow-Ups:
- Re: Bug#590873: openconnect < 2.25 does not verify SSL server certificates
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: bugs in the unofficial RC bug tracker @ turmzimmer
Next by Date: Re: Bug#588017: perl: current directory in @INC potentially harmful
Previous by thread: Re: bugs in the unofficial RC bug tracker @ turmzimmer
Next by thread: Re: Bug#590873: openconnect < 2.25 does not verify SSL server certificates
Index(es):
- Date
- Thread