Package: apt-cacher-ng Version: 0.9.1-1ubuntu1 Severity: important Dear Maintainer,
apt-cacher-ng 0.9.1-1~bpo8+1 as included in the backports for Debian Jessie, 0.9.1-1ubuntu1 as included in Ubuntu Xenial as well as the version in the "upstream/sid" branch do not verify the hostname in certificates when making outgoing TLS connections (HTTPS). This report is produced on an Ubuntu installation, but the issue is unrelated to the distribution. How to reproduce: * Insert "172.217.19.14 fakegoogle" into /etc/hosts * Test whether OpenSSL complains about a mismatching name (requires a sufficiently recent OpenSSL version): $ openssl s_client -verify 2 -verify_hostname fakegoogle \ -verify_return_error -connect fakegoogle:443 * Add "Remap-fakegoogle: /fakegoogle ; https://fakegoogle/" to apt-cacher-ng configuration and restart apt-cacher-ng * Request a file from that upstream: $ curl -v http://127.0.0.1:3142/fakegoogle/dists/test/Release.gpg ... > GET /fakegoogle/dists/test/Release.gpg HTTP/1.1 ... < HTTP/1.1 404 Not Found Observed behaviour: Connection to upstream succeeds despite the hostname not matching the certificate. The error code is 404 due to Google not serving a Release.gpg from that location. Google was only used as an example, of course. Expected behaviour: Connection to upstream fails due to a mismatching hostname and the client is returned a suitable error code (probably HTTP 500). OpenSSL 1.0.2 and newer provide a set of APIs for easier hostname validation: https://wiki.openssl.org/index.php/Hostname_validation Thank you, Michael -- Package-specific info: -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-38-generic (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt-cacher-ng depends on: ii adduser 3.113+nmu3ubuntu4 ii debconf [debconf-2.0] 1.5.58ubuntu1 ii dpkg 1.18.4ubuntu1.1 ii init-system-helpers 1.29ubuntu2 ii libbz2-1.0 1.0.6-8 ii libc6 2.23-0ubuntu3 ii libgcc1 1:6.0.1-0ubuntu1 ii liblzma5 5.1.1alpha+20120614-2ubuntu2 ii libssl1.0.0 1.0.2g-1ubuntu4.5 ii libstdc++6 5.4.0-6ubuntu1~16.04.2 ii libsystemd0 229-4ubuntu10 ii libwrap0 7.6.q-25 ii zlib1g 1:1.2.8.dfsg-2ubuntu4 apt-cacher-ng recommends no packages. Versions of packages apt-cacher-ng suggests: pn avahi-daemon <none> pn doc-base <none> ii libfuse2 2.9.4-1ubuntu3.1