Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-09-27 Thread Radhesh Krishnan K
Hi Wojtek, Thank you for your response. Could you request a CVE for this ? On Fri, Sep 27, 2013 at 2:21 AM, Wojtek Kaniewski wojte...@toxygen.netwrote: Dnia 2013-09-19, czw o godzinie 19:40 +0530, Radhesh Krishnan K pisze: I couldn't follow up with this for long time. Is this bug fixed ?

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-09-26 Thread Wojtek Kaniewski
Dnia 2013-09-19, czw o godzinie 19:40 +0530, Radhesh Krishnan K pisze: I couldn't follow up with this for long time. Is this bug fixed ? libgadu now rejects connection when certificate verification fails and gg_login_params.tls is set to GG_SSL_REQUIRED. When .tls is set to GG_SSL_ENABLED it

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-09-19 Thread Radhesh Krishnan K
Hi, I couldn't follow up with this for long time. Is this bug fixed ? On Sun, Jun 16, 2013 at 10:52 PM, Wojtek Kaniewski wojte...@toxygen.netwrote: Dnia 2013-06-15, sob o godzinie 23:20 +0200, Bartosz Brachaczek pisze: Does this function also verify the host name? It seems that it doesn't

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-16 Thread Wojtek Kaniewski
Dnia 2013-06-15, sob o godzinie 23:20 +0200, Bartosz Brachaczek pisze: Does this function also verify the host name? It seems that it doesn't but I'd like to be sure before I start looking into it. Yeah, you're right. It doesn't. So I did implement commonName verification with rudimentary

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-15 Thread Wojtek Kaniewski
Dnia 2013-06-07, pią o godzinie 01:55 +0200, Bartosz Brachaczek pisze: So the functions of interest are: a) for OpenSSL: -- SSL_CTX_set_default_verify_paths() to use CA cert store configured during OpenSSL's build Does this function also verify the host name? It seems that it doesn't but

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-15 Thread Bartosz Brachaczek
2013/6/15 Wojtek Kaniewski wojte...@toxygen.net: Dnia 2013-06-07, pią o godzinie 01:55 +0200, Bartosz Brachaczek pisze: So the functions of interest are: a) for OpenSSL: -- SSL_CTX_set_default_verify_paths() to use CA cert store configured during OpenSSL's build Does this function also

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-13 Thread Radhesh Krishnan K
I think first option is better than the second one as it covers both possibilities. It gives the user an option to specify a CA trust store file to use and if not mentioned we can use the default. On Thu, Jun 13, 2013 at 4:08 AM, Bartosz Brachaczek b.brachac...@gmail.comwrote: 2013/6/12 Wojtek

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-13 Thread Wojtek Kaniewski
2013/6/13 Bartosz Brachaczek b.brachac...@gmail.com 2013/6/12 Wojtek Kaniewski wojte...@toxygen.net: As Bartosz wrote the code for GnuTLS will be more complicated, so it may take some time. Do you have any plan for it? (...) I plan to copy and paste a part of GnuTLS' configure.ac. Take a

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-13 Thread Bartosz Brachaczek
2013/6/13 Wojtek Kaniewski wojte...@toxygen.net: I plan to copy and paste a part of GnuTLS' configure.ac. Take a look at https://gitorious.org/gnutls/gnutls/blobs/c59329a089a9ed108692066de95f533f482b5422/configure.ac line 377. And if we detect GnuTLS 3.x we'll use appropriate function. Are you

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-12 Thread Wojtek Kaniewski
Dnia 2013-06-12, śro o godzinie 12:42 +0530, Radhesh Krishnan K pisze: I was wondering if there is any update on this ? I commited the verification code for OpenSSL version. As Bartosz wrote the code for GnuTLS will be more complicated, so it may take some time. Regards, Wojtek

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-12 Thread Bartosz Brachaczek
2013/6/12 Wojtek Kaniewski wojte...@toxygen.net: As Bartosz wrote the code for GnuTLS will be more complicated, so it may take some time. Do you have any plan for it? I have performed some research and the options seem to be to: 1) Have a build-time option to explicitly specify a CA trust

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-07 Thread Radhesh Krishnan K
Hi Bartosz, Adding Equifax Secure CA one to the list of trusted CA's sounds like a good idea to me. On Fri, Jun 7, 2013 at 5:25 AM, Bartosz Brachaczek b.brachac...@gmail.comwrote: (Reposting my conversation with Wojtek to the mailing list. I have just noticed we switched away from it).

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-06 Thread Bartosz Brachaczek
(Reposting my conversation with Wojtek to the mailing list. I have just noticed we switched away from it). 2013/6/7 Bartosz Brachaczek b.brachac...@gmail.com: 2013/6/6 Wojtek Kaniewski wojte...@toxygen.net: Dnia 2013-06-04, wto o godzinie 13:37 +0200, Bartosz Brachaczek pisze: But checking

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-04 Thread Radhesh Krishnan K
Hi Wojtek, Sorry, I have a doubt. I would like to know how certificate validation is performed in the proprietary protocol and why something similar cannot be performed in this case? On Tue, Jun 4, 2013 at 4:41 AM, Wojtek Kaniewski wojte...@toxygen.netwrote: Dnia 2013-06-02, nie o godzinie

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-04 Thread Bartosz Brachaczek
Hi, Simply using SSL_get_verify_result() is not a solution here, as it returns X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY when connecting to the proprietary servers on my system (I assume I am not being attacked, you might want to confirm it yourself). But checking which certificates are

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-04 Thread Radhesh Krishnan K
Hi Bartosz, First of all, thank you for volunteering to check this out. If client trusts a CA which is not universally trusted, is it possible to find that CA information within the client ? If yes we can use the same CA to check the certificates, right ? On Tue, Jun 4, 2013 at 5:07 PM,

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-03 Thread Wojtek Kaniewski
Dnia 2013-06-02, nie o godzinie 19:02 +0530, Radhesh Krishnan K pisze: I would like to report a security bug in libgadu. libgadu is using openSSL library for creating secure connections. (...) So the product using libgadu will be vulnerable to man-in-the-middle attack. It was rather a

Re: [libgadu-devel] How to Report a Security Bug in libgadu

2013-06-02 Thread Radhesh Krishnan K
Hi, I would like to report a security bug in libgadu. libgadu is using openSSL library for creating secure connections. A program using openSSL can perform SSL handshake by invoking the SSL_connect function. Some cetrificate validation errors are signaled through , the return values of the