According to OpenSSL document, a correct certificate chain validation pattern is like this:
const SSL_METHOD *method; SSL_CTX *ctx; SSL *ssl; [...] method = TLSv1_client_method(); //select protocol [...] ctx = SSL_CTX_new(method); //Create CTX [...] ssl = SSL_new(ctx); //Create SSL [...] //set SSL_VERIFY_PEER flag for certificate chain validation during handshake SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,...); [...] SSL_connect(ssl); //Start handshake SSL_CTX_set_verify sets the verification flags for CTX but SSL_set_verify sets the verification flags for SSL. libeap's internal method tls_connection_set_verify() contains the method SSL_set_verify(). I think use method SSL_CTX_set_verify() is a correct way? 2017-04-01 2:33 GMT+08:00 Adam Bishop <1677...@bugs.launchpad.net>: > Can you share more information on this, such as the tool you used for > static analysis or more detailed output? Ideal would be the code path > that your tool believes exhibits the behaviour. > > libeap's internal method tls_connection_set_verify() should be called to > set the verification callback for the context before SSL_connect() or > SSL_accept() is reached - if there is a code path that makes this not be > the case, it's not immediately obvious. > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1677947 > > Title: > no SSL certificate verify > > Status in moonshot-gss-eap package in Ubuntu: > New > > Bug description: > Hi developers: > We made a large scale security static analysis on several open > source projects, and found some mistakes in moonshot-gss-eap_0.9.5,In the > @libeap/src/crypto/Tls_openssl.c:2255: > static struct wpabuf * openssl_handshake(struct tls_connection > *conn, const struct wpabuf *in_data,int server) > { > [...] > if (server) > res = SSL_accept(conn->ssl); > else > res = SSL_connect(conn->ssl); > [...] > } > > You create SSL connect and then start to execute read/write > operation without verify certificate,which can lead to MITM attack and > cause leakage of sensitive data.We recommand you add cert verify > operation such as SSL_CTX_set_verify or SSL_get_peer_certificate to > guarantee the security. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/moonshot-gss-eap/+bug/1677947/+ > subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1677947 Title: no SSL certificate verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/moonshot-gss-eap/+bug/1677947/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
