[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL
From: |
Ludwig Nussel |
Subject: |
Re: Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users |
Date: |
Tue, 08 May 2012 14:46:27 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120421 Thunderbird/12.0 |
Richard Moore wrote:
> On 7 May 2012 06:25, Nikos Mavrogiannopoulos <address@hidden> wrote:
> [...]
>> Moreover, a standard certificate bundle is not helpful at all, if it
>> doesn't mention for which purpose those certificates are trusted. Are
>> they trusted to certify stmp servers? incoming e-mail? web?
>
> This limitation is true. Openssl doesn't really have support for that concept.
It supports similar trust settings like NSS though. Check the -addtrust
parameter of "openssl x509".
> [...]
> In Qt, we search the following directories (see
> https://qt.gitorious.org/qt/qtbase/blobs/master/src/network/ssl/qsslsocket.cpp#line2389):
>
> << "/etc/ssl/certs/" // (K)ubuntu, OpenSUSE, Mandriva, MeeGo ...
> << "/usr/lib/ssl/certs/" // Gentoo, Mandrake
> << "/usr/share/ssl/" // Centos, Redhat, SuSE
> << "/usr/local/ssl/" // Normal OpenSSL Tarball
> << "/var/ssl/certs/" // AIX
> << "/usr/local/ssl/certs/" // Solaris
> << "/opt/openssl/certs/"; // HP-UX
What's the reason why you hardcode that list yourself instead of calling
SSL_CTX_set_default_verify_paths()?
>> Are there ways to identify the trust purpose of those certificates?
>> Is there any intention to standardize something like that, so we don't
>> end up with our own trust?
>
> All the certs are trusted for all purposes in this scheme (subject to
> the keyusage flags they contain).
$ openssl x509 -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -out
t.pem
$ openssl s_client -connect build.opensuse.org:443 -CAfile t.pem < /dev/null
[...]
Verify return code: 0 (ok)
$ openssl x509 -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -out
t.pem -addtrust emailProtection
$ openssl s_client -connect build.opensuse.org:443 -CAfile t.pem < /dev/null
[...]
Verify return code: 2 (unable to get issuer certificate)
$ openssl x509 -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -out
t.pem -addtrust serverAuth
$ openssl s_client -connect build.opensuse.org:443 -CAfile t.pem < /dev/null
[...]
Verify return code: 0 (ok)
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB
16746 (AG Nürnberg)
Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users, Sam Varshavchik, 2012/05/07
Re: Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users, Ludwig Nussel, 2012/05/07