[#68845] [Ruby trunk - Feature #11056] [PATCH] lib/net/*: use io/wait methods instead of IO.select — normalperson@...
Issue #11056 has been updated by Eric Wong.
3 messages
2015/04/11
[#68945] [Ruby trunk - Feature #11083] [Open] Gemify net-telnet — shibata.hiroshi@...
Issue #11083 has been reported by Hiroshi SHIBATA.
4 messages
2015/04/21
[#68951] Re: [Ruby trunk - Feature #11083] [Open] Gemify net-telnet
— Eric Wong <normalperson@...>
2015/04/21
shibata.hiroshi@gmail.com wrote:
[#69012] [Ruby trunk - Feature #11105] [Open] ES6-like hash literals — shugo@...
Issue #11105 has been reported by Shugo Maeda.
5 messages
2015/04/29
[ruby-core:68874] [Ruby trunk - Bug #9644] ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much
From:
usa@...
Date:
2015-04-13 13:16:59 UTC
List:
ruby-core #68874
Issue #9644 has been updated by Usaku NAKAMURA. Backport changed from 1.9.3: REQUIRED, 2.0.0: REQUIRED, 2.1: DONE to 1.9.3: REQUIRED, 2.0.0: DONE, 2.1: DONE ruby_2_0_0 r50294 merged revision(s) 50292. ---------------------------------------- Bug #9644: ssl hostname verification security bug: verify_certificate_identity wildcard matching allows to much https://bugs.ruby-lang.org/issues/9644#change-52143 * Author: Steffen Ullrich * Status: Closed * Priority: High * Assignee: Martin Bosslet * ruby -v: 1.9, 2.0, 2.1 * Backport: 1.9.3: REQUIRED, 2.0.0: DONE, 2.1: DONE ---------------------------------------- Hi, I'm not a ruby developer but the maintainer of the IO::Socket::SSL module in Perl. While comparing the state of the SSL implementations in various languages I've noticed, that your validation of the hostname inside the certificate is wrong regarding wildcards. According to the RFC2818 (http) or RFC6125 (includes http and others) only the leftmost part of the name specification might contain a wildcard, e.g `*.foo.bar` is allowed, but not `www.*.foo.bar` or even `www.*.*.*`. Unfortunatly the implementation of `verify_certificate_identity` in openssl/ssl.rb (or openssl/ssl-internal.rb in older versions) does a global substitution of `*` with `[^.]+` and thus allows wildcards anywhere and also multiple wildcards. I've verified my assumption with a certificate for `www.*.foo.*`, which got successfully verified against `www.bar.foo.org` or `www.foobar.foo.bar` on ruby 1.9.1. And, from looking at the code the current ruby version has the same problem. Also, from reading the code I understand that you use the same hostname verification for SMTP, IMAP and POP too. But the verification schemes for these protocols differ from http (see RFC2595 for SMTP, RFC4642 for IMAP and POP): * while http allows something like www*.example.com the other protocols only allow *.example.com, e.g. the the wildcard must fully replace the leftmost part of the hostname. * while with http one should not check the common name if subject alternative names exist (and you've implemented it this way), with the other protocols one check common name too. Regards, Steffen -- https://bugs.ruby-lang.org/