** Also affects: nghttp2 (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: nghttp2 (Ubuntu)
Status: New => Fix Released
** Changed in: nghttp2 (Ubuntu Xenial)
Status: New => Confirmed
--
You received this bug notification because you are a member of
** Also affects: nghttp2 (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: nghttp2 (Ubuntu)
Status: New => Fix Released
** Changed in: nghttp2 (Ubuntu Xenial)
Status: New => Confirmed
--
You received this bug notification because you are a member of
Ruan, it's ok! Thank you for your detailed analyses. It sounds like this
is still a potential security issue in 16.04, at least.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958
Title:
no SSL
This problem can be closed .Sorry for disturbing you.For some reasons ,we do
analysis on Ubuntu 16.04.,where the nghttp2 version is 1.7.1, NO
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb) exists,so we can do MITM
attack.
We find in the lastest version 1.22.0,this bug has fixed.Thank for you
Hello Ruan,
Thank you for keeping us apprised of the situation.
I see in that function, that they do call
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
[elided from your excerpt]
but you are saying the MITM attack exists because they are not verifying
the global context?
** Changed in:
Hello Ruan,
Thank you for keeping us apprised of the situation.
I see in that function, that they do call
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
[elided from your excerpt]
but you are saying the MITM attack exists because they are not verifying
the global context?
** Changed in:
Nowadays We find in nghttp2-client there exists other bug .
In @src/nghttp.cc:
int HttpClient::initiate_connection()
{
[...]
ssl = SSL_new(ssl_ctx);
[...]
SSL_set_fd(ssl.fd);
SSL_set_connect_state(ssl);
[...]
writefn = ::connected;
}
The function
To be clear, this bug is in example code to demonstrate how one uses
libnghttp2, not in any actual libnghttp2 code.
The upstream developer Tatsuhiro Tsujikawa (offlist) said:
> Thank you for the security analysis.
> examples/client.c is an example program to show how to use libnghttp2, and we
To be clear, this bug is in example code to demonstrate how one uses
libnghttp2, not in any actual libnghttp2 code.
The upstream developer Tatsuhiro Tsujikawa (offlist) said:
> Thank you for the security analysis.
> examples/client.c is an example program to show how to use libnghttp2, and we
The code maintainer have confirm the bug and add a large text inside
the source code to implement that is insecure for production use.
** Changed in: nghttp2 (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Also, 1.7.1 is only present in 16.04, there have been many updates to
the package since then -- can you verify if it was fixed upstream
already and at what version?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Has this been reported upstream to nghttp2?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958
Title:
no SSL certificate verify
To manage notifications about this bug go to:
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677958
Title:
no SSL certificate verify
To manage notifications about this bug go to:
13 matches
Mail list logo