*** This bug is a security vulnerability *** Public security bug reported:
Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in crtmpserver, the following is details: ----------------------------------------------------------------------------- file : crtmpserver-apps/crtmpserver-1.0~dfsg/thelib/src/protocols/ssl /outboundsslprotocol.cpp ----------------------------------------------------------------------------- function : OutboundSSLProtocol::DoHandshake() ----------------------------------------------------------------------------- SSL method : \ ----------------------------------------------------------------------------- SSL_CTX_set_verify() argument : SSL_VERIFY_NONE ----------------------------------------------------------------------------- Have SSL_CTX_set_verify ( SSL_set_verify) callback : NO ----------------------------------------------------------------------------- call SSL_get_peer_certificate(): NO ----------------------------------------------------------------------------- call SSL_get_verify_result(): NO ----------------------------------------------------------------------------- According to the above result, we think the SSL connection in crtmpserver is not secure. More specifically , we can take function SSL_CTX_set_verify() for example, when using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null), we should verify the certificate by calling the function SSL_get_peer_certificate() to get the certificate. If the source code does not match this model, then we can deduce this code is vulnerable. And other APIs have similar problems. PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, we will be very glad for your responce. Thanks. ** Affects: crtmpserver (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security ** Description changed: Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in crtmpserver, the following is details: - function: OutboundSSLProtocol::DoHandshake() - SSL method: \ - SSL_CTX_set_verify() argument: SSL_VERIFY_NONE - Have SSL_CTX_set_verify ( SSL_set_verify) callback: NO - call SSL_get_peer_certificate(): NO - call SSL_get_verify_result(): NO + -----------------------------------------------------------------------------function | OutboundSSLProtocol::DoHandshake() + SSL method | \ + SSL_CTX_set_verify() argument | SSL_VERIFY_NONE + Have SSL_CTX_set_verify ( SSL_set_verify) callback | NO + call SSL_get_peer_certificate(): NO + call SSL_get_verify_result(): NO According to the above result, we think the SSL connection in crtmpserver is not secure. More specifically , we can take function SSL_CTX_set_verify() for example, when using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null), we should verify the certificate by calling the function SSL_get_peer_certificate() to get the certificate. If the source code does not match this model, then we can deduce this code is vulnerable. And other APIs have similar problems. PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, we will be very glad for your responce. Thanks. ** Description changed: Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in crtmpserver, the following is details: - -----------------------------------------------------------------------------function | OutboundSSLProtocol::DoHandshake() + -----------------------------------------------------------------------------function |OutboundSSLProtocol::DoHandshake() SSL method | \ SSL_CTX_set_verify() argument | SSL_VERIFY_NONE Have SSL_CTX_set_verify ( SSL_set_verify) callback | NO call SSL_get_peer_certificate(): NO call SSL_get_verify_result(): NO According to the above result, we think the SSL connection in crtmpserver is not secure. More specifically , we can take function SSL_CTX_set_verify() for example, when using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null), we should verify the certificate by calling the function SSL_get_peer_certificate() to get the certificate. If the source code does not match this model, then we can deduce this code is vulnerable. And other APIs have similar problems. PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, we will be very glad for your responce. Thanks. ** Description changed: Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in crtmpserver, the following is details: - -----------------------------------------------------------------------------function |OutboundSSLProtocol::DoHandshake() - SSL method | \ - SSL_CTX_set_verify() argument | SSL_VERIFY_NONE - Have SSL_CTX_set_verify ( SSL_set_verify) callback | NO - call SSL_get_peer_certificate(): NO - call SSL_get_verify_result(): NO + -----------------------------------------------------------------------------function : OutboundSSLProtocol::DoHandshake() + SSL method : \ + SSL_CTX_set_verify() argument : SSL_VERIFY_NONE + Have SSL_CTX_set_verify ( SSL_set_verify) callback : NO + call SSL_get_peer_certificate(): NO + call SSL_get_verify_result(): NO According to the above result, we think the SSL connection in crtmpserver is not secure. More specifically , we can take function SSL_CTX_set_verify() for example, when using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null), we should verify the certificate by calling the function SSL_get_peer_certificate() to get the certificate. If the source code does not match this model, then we can deduce this code is vulnerable. And other APIs have similar problems. PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, we will be very glad for your responce. Thanks. ** Description changed: Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in crtmpserver, the following is details: -----------------------------------------------------------------------------function : OutboundSSLProtocol::DoHandshake() SSL method : \ SSL_CTX_set_verify() argument : SSL_VERIFY_NONE Have SSL_CTX_set_verify ( SSL_set_verify) callback : NO call SSL_get_peer_certificate(): NO call SSL_get_verify_result(): NO + ----------------------------------------------------------------------------- According to the above result, we think the SSL connection in crtmpserver is not secure. More specifically , we can take function SSL_CTX_set_verify() for example, when using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null), we should verify the certificate by calling the function SSL_get_peer_certificate() to get the certificate. If the source code does not match this model, then we can deduce this code is vulnerable. And other APIs have similar problems. PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, we will be very glad for your responce. Thanks. ** Description changed: Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in crtmpserver, the following is details: - -----------------------------------------------------------------------------function : OutboundSSLProtocol::DoHandshake() + ----------------------------------------------------------------------------- + file : crtmpserver-apps/crtmpserver-1.0~dfsg/thelib/src/protocols/ssl/outboundsslprotocol.cpp + function : OutboundSSLProtocol::DoHandshake() SSL method : \ SSL_CTX_set_verify() argument : SSL_VERIFY_NONE Have SSL_CTX_set_verify ( SSL_set_verify) callback : NO call SSL_get_peer_certificate(): NO call SSL_get_verify_result(): NO ----------------------------------------------------------------------------- According to the above result, we think the SSL connection in crtmpserver is not secure. More specifically , we can take function SSL_CTX_set_verify() for example, when using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null), we should verify the certificate by calling the function SSL_get_peer_certificate() to get the certificate. If the source code does not match this model, then we can deduce this code is vulnerable. And other APIs have similar problems. PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, we will be very glad for your responce. Thanks. ** Description changed: Recently, we are trying to find SSL security problems by static analysis. For example, as we all know, Hostname verification is an important step when verifying X509 certificates, however, people tend to miss the step or to misunderstand the APIs when using SSL/TLS, which might cause severe man in the middle attack and break the entire TLS mechanism. And static analysis is a way of finding whether the APIs are called correctly. Now, we find some SSL problems in crtmpserver, the following is details: ----------------------------------------------------------------------------- - file : crtmpserver-apps/crtmpserver-1.0~dfsg/thelib/src/protocols/ssl/outboundsslprotocol.cpp + file : crtmpserver-apps/crtmpserver-1.0~dfsg/thelib/src/protocols/ssl /outboundsslprotocol.cpp + ----------------------------------------------------------------------------- function : OutboundSSLProtocol::DoHandshake() + ----------------------------------------------------------------------------- SSL method : \ + ----------------------------------------------------------------------------- SSL_CTX_set_verify() argument : SSL_VERIFY_NONE + ----------------------------------------------------------------------------- Have SSL_CTX_set_verify ( SSL_set_verify) callback : NO + ----------------------------------------------------------------------------- call SSL_get_peer_certificate(): NO + ----------------------------------------------------------------------------- call SSL_get_verify_result(): NO ----------------------------------------------------------------------------- According to the above result, we think the SSL connection in crtmpserver is not secure. More specifically , we can take function SSL_CTX_set_verify() for example, when using OPENSSL, if we call SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE, null), we should verify the certificate by calling the function SSL_get_peer_certificate() to get the certificate. If the source code does not match this model, then we can deduce this code is vulnerable. And other APIs have similar problems. PS: for more information, you can see the paper: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf and more details you can contact with us, we will be very glad for your responce. Thanks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1380298 Title: some SSL security problems To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/crtmpserver/+bug/1380298/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs