Re: [Bug 1677951] Re: incomplete SSL certificate verify

Tue, 11 Apr 2017 23:26:03 -0700 

Hi Developers:
     In @plugins/sslutils.c:164~248, I see you get the certificate and verify
some properties of it.So plugin is  planning  to do so? Why not use the
judgement :SSL_get_verify_result(ssl)==X509_V_OK  to guarantee valid cert
verification?


2017-04-06 17:16 GMT+08:00 Jan Wagner <[email protected]>:

> check_http (and every other plugin) does NOT verify certificates and was
> never planed to do so.
>
> ** Changed in: monitoring-plugins (Ubuntu)
>        Status: Confirmed => Invalid
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1677951
>
> Title:
>   incomplete SSL certificate verify
>
> Status in monitoring-plugins package in Ubuntu:
>   Invalid
>
> Bug description:
>   Hi developers:
>       We made a large scale security static analysis on several open
> source projects, and found some mistakes in monitoring-plugins-2.1.2. In
> the @plugins/sslutils.c:164:
>         int np_net_ssl_check_cert(int days_till_exp_warn, int
> days_till_exp_crit){
>         #  ifdef USE_OPENSSL
>         [...]
>         certificate=SSL_get_peer_certificate(s);
>
>           if (!certificate) {
>                 printf("%s\n",_("CRITICAL - Cannot retrieve server
> certificate."));
>                 return STATE_CRITICAL;
>         }
>
>         /* Extract CN from certificate subject */
>         subj=X509_get_subject_name(certificate);
>          [...]
>          }
>
>       We find that you use SSL_get_peer_certificate() to get the cert
>   and verify some properties of it.But it still not secure enough and
>   can lead to MITM attack. To guarantee the security,we recommand you
>   add the judgement if(SSL_get_verify_result(ssl)==X509_V_OK) to make
>   sure validation succeeds.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/monitoring-
> plugins/+bug/1677951/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1677951

Title:
  incomplete SSL certificate verify

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/monitoring-plugins/+bug/1677951/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to