*** This bug is a security vulnerability *** Public security bug reported:
1. Start new GNUCash 2. Online banking wizard 3. OFX backend 4. Select bank: USAA (FID 24591) Auto-populates API url of https://service2.usaa.com/ofx/OFXServlet "Request account list" and enter a bogus pin. What happens: The user gets a SSL error about a mismatch between the certificate expected and the presented certificate's hostname of www.usaa.com. Since visiting the API url in a browser works correctly, and I see that services2.dropbox.com and www.usaa.com resolve to the same IP, I suspect this is due to a lack of SNI support in GNUCash. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: aqbanking-tools (not installed) ProcVersionSignature: Ubuntu 4.15.0-39.42-generic 4.15.18 Uname: Linux 4.15.0-39-generic x86_64 NonfreeKernelModules: openafs nvidia_modeset nvidia ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: GNOME Date: Fri Dec 7 04:45:23 2018 SourcePackage: libaqbanking UpgradeStatus: Upgraded to bionic on 2018-05-21 (200 days ago) ** Affects: libaqbanking (Ubuntu) Importance: Medium Status: New ** Tags: amd64 apport-bug bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1807325 Title: aqbanking wizard in GNUCash doesn't support SNI To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libaqbanking/+bug/1807325/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
