Regarding the patch I submitted yesterday, I apologize I was inadvertently on the wrong branch and I see now that this issue has already been addressed on master and in the 1.32 unstable release in commit 45fa3f1. I have been looking at the changes introduced in that commit, and I have a few concerns:
1. OpenSSL's s_client doesn't appear to exit with an error if just the
`-verify_return_error` flag is used. I've tested this on BusyBox
1.32 with OpenSSL 1.0.2u and LibreSSL 3.1.3 and am still able to
`wget https://expired.badssl.com` without getting an error. To cause
s_client to abort with an error, it is necessary to also use the
`-verify 100` flag. Further reading on this is available at
https://www.vdoo.com/ja/blog/busybox-wget-case.
2. Even with the `-verify 100 -verify_return_error` flags, OpenSSL does
not verify that the certificate is valid for the requested hostname.
For hostname verification to work, it is necessary to use
`-verify_hostname <hostname>` for hostname based requests or
`-verify-ip` for IP address based requests.
3. The `-verify_return_error` flag gets added in argv[7]. If the end
user uses wget on an IP address rather than a hostname, argv[5] and
argv[6] will remain set to null, causing execvp not to pass any
arguments after argv[4] to s_client and resulting in no check being
performed.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
