Hi Wojtek,
Thank you for your response. Could you request a CVE for this ?
On Fri, Sep 27, 2013 at 2:21 AM, Wojtek Kaniewski wojte...@toxygen.netwrote:
Dnia 2013-09-19, czw o godzinie 19:40 +0530, Radhesh Krishnan K pisze:
I couldn't follow up with this for long time. Is this bug fixed ?
Dnia 2013-09-19, czw o godzinie 19:40 +0530, Radhesh Krishnan K pisze:
I couldn't follow up with this for long time. Is this bug fixed ?
libgadu now rejects connection when certificate verification fails and
gg_login_params.tls is set to GG_SSL_REQUIRED. When .tls is set to
GG_SSL_ENABLED it
Hi,
I couldn't follow up with this for long time. Is this bug fixed ?
On Sun, Jun 16, 2013 at 10:52 PM, Wojtek Kaniewski wojte...@toxygen.netwrote:
Dnia 2013-06-15, sob o godzinie 23:20 +0200, Bartosz Brachaczek pisze:
Does this function also verify the host name? It seems that it doesn't
Dnia 2013-06-15, sob o godzinie 23:20 +0200, Bartosz Brachaczek pisze:
Does this function also verify the host name? It seems that it doesn't
but I'd like to be sure before I start looking into it.
Yeah, you're right. It doesn't.
So I did implement commonName verification with rudimentary
Dnia 2013-06-07, pią o godzinie 01:55 +0200, Bartosz Brachaczek pisze:
So the functions of interest are:
a) for OpenSSL:
-- SSL_CTX_set_default_verify_paths() to use CA cert store configured
during OpenSSL's build
Does this function also verify the host name? It seems that it doesn't
but
2013/6/15 Wojtek Kaniewski wojte...@toxygen.net:
Dnia 2013-06-07, pią o godzinie 01:55 +0200, Bartosz Brachaczek pisze:
So the functions of interest are:
a) for OpenSSL:
-- SSL_CTX_set_default_verify_paths() to use CA cert store configured
during OpenSSL's build
Does this function also
I think first option is better than the second one as it covers both
possibilities. It gives the user an option to specify a CA trust store file
to use and if not mentioned we can use the default.
On Thu, Jun 13, 2013 at 4:08 AM, Bartosz Brachaczek
b.brachac...@gmail.comwrote:
2013/6/12 Wojtek
2013/6/13 Bartosz Brachaczek b.brachac...@gmail.com
2013/6/12 Wojtek Kaniewski wojte...@toxygen.net:
As Bartosz wrote
the code for GnuTLS will be more complicated, so it may take some time.
Do you have any plan for it? (...)
I plan to copy and paste a part of GnuTLS' configure.ac. Take a
2013/6/13 Wojtek Kaniewski wojte...@toxygen.net:
I plan to copy and paste a part of GnuTLS' configure.ac. Take a look at
https://gitorious.org/gnutls/gnutls/blobs/c59329a089a9ed108692066de95f533f482b5422/configure.ac
line 377. And if we detect GnuTLS 3.x we'll use appropriate function. Are
you
Dnia 2013-06-12, śro o godzinie 12:42 +0530, Radhesh Krishnan K pisze:
I was wondering if there is any update on this ?
I commited the verification code for OpenSSL version. As Bartosz wrote
the code for GnuTLS will be more complicated, so it may take some time.
Regards,
Wojtek
2013/6/12 Wojtek Kaniewski wojte...@toxygen.net:
As Bartosz wrote
the code for GnuTLS will be more complicated, so it may take some time.
Do you have any plan for it? I have performed some research and the
options seem to be to:
1) Have a build-time option to explicitly specify a CA trust
Hi Bartosz,
Adding Equifax Secure CA one to the list of trusted CA's sounds like a
good idea to me.
On Fri, Jun 7, 2013 at 5:25 AM, Bartosz Brachaczek
b.brachac...@gmail.comwrote:
(Reposting my conversation with Wojtek to the mailing list. I have
just noticed we switched away from it).
(Reposting my conversation with Wojtek to the mailing list. I have
just noticed we switched away from it).
2013/6/7 Bartosz Brachaczek b.brachac...@gmail.com:
2013/6/6 Wojtek Kaniewski wojte...@toxygen.net:
Dnia 2013-06-04, wto o godzinie 13:37 +0200, Bartosz Brachaczek pisze:
But checking
Hi Wojtek,
Sorry, I have a doubt. I would like to know how certificate validation is
performed in the proprietary protocol and why something similar cannot be
performed in this case?
On Tue, Jun 4, 2013 at 4:41 AM, Wojtek Kaniewski wojte...@toxygen.netwrote:
Dnia 2013-06-02, nie o godzinie
Hi,
Simply using SSL_get_verify_result() is not a solution here, as it
returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY when connecting
to the proprietary servers on my system (I assume I am not being
attacked, you might want to confirm it yourself).
But checking which certificates are
Dnia 2013-06-02, nie o godzinie 19:02 +0530, Radhesh Krishnan K pisze:
I would like to report a security bug in libgadu. libgadu is using
openSSL library for creating secure connections.
(...)
So the product using libgadu will be vulnerable to man-in-the-middle
attack.
It was rather a
Hi,
I would like to report a security bug in libgadu. libgadu is using openSSL
library for creating secure connections.
A program using openSSL can perform SSL handshake by invoking the
SSL_connect function. Some cetrificate validation errors are signaled
through , the return values of the
Hi all,
I would like to know how to report a security bug in libgadu. I don't see
any option to report a bug here http://toxygen.net/libgadu/.
http://toxygen.net/libgadu/
--.
Regards,
Radhesh Krishnan K.
___
libgadu-devel mailing list
18 matches
Mail list logo