You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It appears that libustream-wolfssl20200215, which is currently used as the default client-side TLS implementation in trunk snapshot images, doesn't actually validate TLS server certificates. To be more precise, it seems to only check if the certificate was issued for the correct hostname, but it doesn't check if it was issued/signed by a trusted CA (making all other checks utterly pointless), or if the certificate is expired.
hardfalcon:
It appears that libustream-wolfssl20200215, which is currently used as the default client-side TLS implementation in trunk snapshot images, doesn't actually validate TLS server certificates. To be more precise, it seems to only check if the certificate was issued for the correct hostname, but it doesn't check if it was issued/signed by a trusted CA (making all other checks utterly pointless), or if the certificate is expired.
To reproduce this, simply execute the following commands on a device flashed with a reasonably current trunk snapshot image:
uclient-fetch -O - 'https://self-signed.badssl.com/'
uclient-fetch -O - 'https://untrusted-root.badssl.com/'
uclient-fetch -O - 'https://expired.badssl.com/'
All three commands should fail if the certificate gets actually validated, but all three succeed on my devices.
The text was updated successfully, but these errors were encountered: