Your message dated Tue, 27 Jul 2010 14:43:51 -0400
with message-id <20100727184350.ga7...@galadriel.inutil.org>
and subject line Re: This is not a bug
has caused the Debian Bug report #569148,
regarding does not verify that hostname of destination and common name in
certificate match
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
569148: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=569148
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: stunnel4
Version: 3:4.29-1
Severity: important
If stunnel is used in client mode, it does not verify that the hostname of the
destination host actually matches the common name in the certificate it
provides. This makes MITM much easier, because an attacker could use a valid
certificate for one of his domains that was signed by a trusted CA to
impersonate any destination host.
This does not affect verify level 3 because only specific host certificates are
allowed on this level.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages stunnel4 depends on:
ii adduser 3.112 add and remove users and groups
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
ii libssl0.9.8 0.9.8k-8 SSL shared libraries
ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra
ii netbase 4.40 Basic TCP/IP networking system
ii openssl 0.9.8k-8 Secure Socket Layer (SSL) binary a
ii perl-modules 5.10.1-11 Core Perl modules
stunnel4 recommends no packages.
Versions of packages stunnel4 suggests:
pn logcheck-database <none> (no description available)
-- no debconf information
--- End Message ---
--- Begin Message ---
On Fri, Jul 02, 2010 at 10:21:48AM +0200, Michal Trojnara wrote:
>
> Hi,
>
> Stunnel security model is not designed to rely on domain name checks.
> SSL/TLS protocol is not the same as HTTPS. Stunnel is not expected to meet
> requirements of RFC 2818 section 3.
>
> This is *not* a bug.
>
> Best regards,
> Michal Trojnara
> upstream maintainer
I agree. Closing the bug.
Cheers,
Moritz
--- End Message ---
