curl-library
Re: curl bad verify SSL certificates (fwd)
From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 19 Aug 2002 06:59:06 +0200 (MET DST)
Date: Mon, 19 Aug 2002 06:59:06 +0200 (MET DST)
forwarded to the libcurl mailing list
-- Daniel Stenberg -- curl related mails on curl related mailing lists please ---------- Forwarded message ---------- Date: Sun, 18 Aug 2002 15:35:00 -0400 From: Tom Zerucha <tz_at_execpc.com> To: Daniel Stenberg <daniel_at_haxx.se> Subject: Re: curl bad verify SSL certificates (fwd) On Sat, Aug 17, 2002 at 03:06:30PM +0200, Daniel Stenberg wrote: > On Thu, 15 Aug 2002, Daniel Stenberg wrote: > > Full details are here: > http://sourceforge.net/tracker/?func=detail&aid=595426&group_id=976&atid=100976 > > No, I still cannot see what the problem is or what the solution is supposed > to do. > > What kind of warning are you refering to that curl should display? When we're > running SSL without verifying the remote's certificate, how can we warn and > for what? The callback should not simply return 'ok', in fact it should return the opposite unless it properly validates the certificate chain or is explicitly overridden (or, more properly, has a correct certificate installed in the openssl certs directory). > Yes, we could theoretcly add the "error 20" you mention that the 'openssl' > tool displays, but what good would that do? That error would also get > displayed on *numerous* non-spoofed uses of SSL... (as I tried this). Then you don't have openssl installed properly (with the certs and hashes, usually in /usr/local/ssl/certs), or don't have the certificate directory set correctly so it can't find them. > So, my question remains. What is the problem and what is the solution? Problem: You really have no idea if the site you are talking to is really who they claim to be. You could be connecting to a credit-card number or password stealing site instead of the actual site and would have no indication of any problem. Solution: Rewrite the certificate verify callback to actually check the certificate chain properly. Don't connect without an override. I am working on a correct patch for this and various other openssl implementations, but I am limited since I don't have all the testing infrastructure available to me, and the existing exploit demonstration sites close down at times. ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390Received on 2002-08-19