[Bug 1677958] Re: no SSL certificate verify

This problem can be closed .Sorry for disturbing you.For some reasons ,we do analysis on Ubuntu 16.04.,where the nghttp2 version is 1.7.1, NO SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb) exists,so we can do MITM attack. We find in the lastest version 1.22.0,this bug has fixed.Thank for you

Re: [Bug 1677958] Re: no SSL certificate verify

Nowadays We find in nghttp2-client there exists other bug . In @src/nghttp.cc: int HttpClient::initiate_connection() { [...] ssl = SSL_new(ssl_ctx); [...] SSL_set_fd(ssl.fd); SSL_set_connect_state(ssl); [...] writefn = ::connected; } The function

[Bug 1677958] Re: no SSL certificate verify

The code maintainer have confirm the bug and add a large text inside the source code to implement that is insecure for production use. ** Changed in: nghttp2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is

Re: [Bug 1677951] Re: incomplete SSL certificate verify

Hi Developers: In @plugins/sslutils.c:164~248, I see you get the certificate and verify some properties of it.So plugin is planning to do so? Why not use the judgement :SSL_get_verify_result(ssl)==X509_V_OK to guarantee valid cert verification? 2017-04-06 17:16 GMT+08:00 Jan Wagner

[Bug 1681177] [NEW] Disabled SSL certificate verify

Public bug reported: Hi developers: We made a large scale security static analysis on several open source projects, and found some mistakes in dnsval-2.0. In the @libval/valdane.c:743: int val_dane_check(val_context_t *ctx,SSL *con,struct val_danestatus *danestatus,int *do_pathval)

Re: [Bug 1677947] Re: no SSL certificate verify

According to OpenSSL document, a correct certificate chain validation pattern is like this: const SSL_METHOD *method; SSL_CTX *ctx; SSL *ssl; [...] method = TLSv1_client_method(); //select protocol [...] ctx = SSL_CTX_new(method); //Create CTX [...] ssl = SSL_new(ctx); //Create SSL [...] //set

[Bug 1677951] Re: incomplete SSL certificate verify

OK.Here are the link: https://github.com/monitoring-plugins/monitoring-plugins/issues/1479 Thanks. 2017-03-31 22:01 GMT+08:00 Daniel Llewellyn : > Thank you for taking the time to report this bug and helping to make > Ubuntu better. The issue you are reporting is an upstream

[Bug 1677958] Re: no SSL certificate verify

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677958 Title: no SSL certificate verify To manage notifications about this bug go to:

[Bug 1677951] Re: incomplete SSL certificate verify

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677951 Title: incomplete SSL certificate verify To manage notifications about this bug go

[Bug 1677558] Re: no SSL certificate verify

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677558 Title: no SSL certificate verify To manage notifications about this bug go to:

[Bug 1677518] Re: Disabled SSL certificate verify

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677518 Title: Disabled SSL certificate verify To manage notifications about this bug go

[Bug 1677947] Re: no SSL certificate verify

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677947 Title: no SSL certificate verify To manage notifications about this bug go to:

[Bug 1677511] Re: Disabled SSL certificate verify

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677511 Title: Disabled SSL certificate verify To manage notifications about this bug go

[Bug 1677506] Re: incomplete SSL certificate verify

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677506 Title: incomplete SSL certificate verify To manage notifications about this bug go

[Bug 1677501] Re: no SSL certificate verify

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677501 Title: no SSL certificate verify To manage notifications about this bug go to:

[Bug 1677495] Re: no SSL certificate verify

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677495 Title: no SSL certificate verify To manage notifications about this bug go to:

[Bug 1677493] Re: no SSL certificate verify

** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677493 Title: no SSL certificate verify To manage notifications about this bug go to: