Public bug reported:
Hi developers:
We made a large scale security static analysis on several open source
projects, and found some mistakes in dnsval-2.0. In the @libval/valdane.c:743:
int val_dane_check(val_context_t *ctx,SSL *con,struct val_danestatus
*danestatus,int *do_pathval)
{
[...]
switch (dane_cur->usage) {
[...]
case DANE_USE_SVC_CONSTRAINT: /*1*/
cert = SSL_get_peer_certificate(con);
cert_datalen = i2d_X509(cert, NULL);
[...]
}
In this function,you do cert verify . But the API
SSL_get_peer_certificate and SSL_get_verify_result do not in the same
case.There may exist some problem?
** Affects: dnsval (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1681177
Title:
Disabled SSL certificate verify
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dnsval/+bug/1681177/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
