Re: Bug#590873: openconnect < 2.25 does not verify SSL server certificates
On Thu, Jul 29, 2010 at 03:45:55PM -0400, Anders Kaseorg wrote:
> Versions of OpenConnect before 2.25 do not verify that the server SSL
> certificate matches the server hostname, which enables an attacker to
> perform an MITM attack on the connection. This can be fixed by upgrading
> to OpenConnect 2.25.
>
> From the upstream changelog:
>
> OpenConnect v2.25 — 2010-05-15
> • Always validate server certificate, even when no extra --cafile is
> provided.
> • Add --no-cert-check option to avoid certificate validation.
> • Check server hostname against its certificate.
> • Provide text-mode function for reviewing and accepting "invalid"
> certificates.
> • Fix libproxy detection on NetBSD.
To the untrained eye, the diff between
6732c0e8ccb4d57d6a970973f994a9d2d3509def
and
3b2738befa7fe934d0d55b77fe1fcf28aafbe424
in upstream git is what's required for this, but the patch would need
a bit of work to apply cleanly. Note also that there
are some memory leaks fixed in 2.25 which might be a good idea to fix
too.
Given all this, might the best idea be allow an exception for the
new upstream? The full changelog is:
* OpenConnect v2.25 -- 2010-05-15
+ Always validate server certificate, even when no extra
--cafile is provided.
+ Add --no-cert-check option to avoid certificate validation.
+ Check server hostname against its certificate.
+ Provide text-mode function for reviewing and accepting
"invalid" certificates.
+ Fix libproxy detection on NetBSD.
* OpenConnect v2.24 -- 2010-05-07
+ Forget preconfigured password after a single attempt; don't
retry infinitely if it's failing.
+ Set $CISCO_BANNER environment variable when running script.
+ Better handling of passphrase failure on certificate files.
+ Fix NetBSD build (thanks to Pouya D. Tafti).
+ Fix DragonFly BSD build.
* OpenConnect v2.23 -- 2010-04-09
+ Support "Cisco Secure Desktop" trojan in NetworkManager
auth-dialog.
+ Support proxy in NetworkManager auth-dialog.
+ Add --no-http-keepalive option to work around Cisco's
incompetence.
+ Fix build on Debian/kFreeBSD.
+ Fix crash on receiving HTTP 404 error.
+ Improve workaround for server certificates lacking SSL_SERVER
purpose, so that it also works with OpenSSL older than 0.9.8k.
And upstream git doesn't appear to have any subsequent regression
fixes.
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: