Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FS#3463 - libustream-wolfssl20200215 doesn't validate TLS server certificates #8333

Closed
openwrt-bot opened this issue Nov 20, 2020 · 0 comments
Closed

FS#3463 - libustream-wolfssl20200215 doesn't validate TLS server certificates #8333

openwrt-bot opened this issue Nov 20, 2020 · 0 comments
Labels
flyspray

Comments

@openwrt-bot
Copy link

hardfalcon:

It appears that libustream-wolfssl20200215, which is currently used as the default client-side TLS implementation in trunk snapshot images, doesn't actually validate TLS server certificates. To be more precise, it seems to only check if the certificate was issued for the correct hostname, but it doesn't check if it was issued/signed by a trusted CA (making all other checks utterly pointless), or if the certificate is expired.

To reproduce this, simply execute the following commands on a device flashed with a reasonably current trunk snapshot image:

uclient-fetch -O - 'https://self-signed.badssl.com/'
uclient-fetch -O - 'https://untrusted-root.badssl.com/'
uclient-fetch -O - 'https://expired.badssl.com/'

All three commands should fail if the certificate gets actually validated, but all three succeed on my devices.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
flyspray
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@openwrt-bot