Bug#839751: apt-cacher-ng: Hostname not verified on outgoing TLS connections

Tue, 04 Oct 2016 08:09:40 -0700 

Package: apt-cacher-ng
Version: 0.9.1-1ubuntu1
Severity: important

Dear Maintainer,

apt-cacher-ng 0.9.1-1~bpo8+1 as included in the backports for Debian
Jessie, 0.9.1-1ubuntu1 as included in Ubuntu Xenial as well as the
version in the "upstream/sid" branch do not verify the hostname in
certificates when making outgoing TLS connections (HTTPS). This report
is produced on an Ubuntu installation, but the issue is unrelated to the
distribution.

How to reproduce:

* Insert "172.217.19.14 fakegoogle" into /etc/hosts
* Test whether OpenSSL complains about a mismatching name (requires a
  sufficiently recent OpenSSL version):
    $ openssl s_client -verify 2 -verify_hostname fakegoogle \
      -verify_return_error -connect fakegoogle:443
* Add "Remap-fakegoogle: /fakegoogle ; https://fakegoogle/"; to
  apt-cacher-ng configuration and restart apt-cacher-ng
* Request a file from that upstream:
    $ curl -v http://127.0.0.1:3142/fakegoogle/dists/test/Release.gpg
    ...
    > GET /fakegoogle/dists/test/Release.gpg HTTP/1.1
    ...
    < HTTP/1.1 404 Not Found

Observed behaviour: Connection to upstream succeeds despite the hostname
not matching the certificate. The error code is 404 due to Google not
serving a Release.gpg from that location. Google was only used as an
example, of course.

Expected behaviour: Connection to upstream fails due to a mismatching
hostname and the client is returned a suitable error code (probably HTTP
500).

OpenSSL 1.0.2 and newer provide a set of APIs for easier hostname
validation: https://wiki.openssl.org/index.php/Hostname_validation

Thank you,
Michael

-- Package-specific info:

-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 
'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.4.0-38-generic (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt-cacher-ng depends on:
ii  adduser                3.113+nmu3ubuntu4
ii  debconf [debconf-2.0]  1.5.58ubuntu1
ii  dpkg                   1.18.4ubuntu1.1
ii  init-system-helpers    1.29ubuntu2
ii  libbz2-1.0             1.0.6-8
ii  libc6                  2.23-0ubuntu3
ii  libgcc1                1:6.0.1-0ubuntu1
ii  liblzma5               5.1.1alpha+20120614-2ubuntu2
ii  libssl1.0.0            1.0.2g-1ubuntu4.5
ii  libstdc++6             5.4.0-6ubuntu1~16.04.2
ii  libsystemd0            229-4ubuntu10
ii  libwrap0               7.6.q-25
ii  zlib1g                 1:1.2.8.dfsg-2ubuntu4

apt-cacher-ng recommends no packages.

Versions of packages apt-cacher-ng suggests:
pn  avahi-daemon  <none>
pn  doc-base      <none>
ii  libfuse2      2.9.4-1ubuntu3.1

Reply via email to