Fwd: Re: [oss-security] CVE Request: evolution-data-server lacks SSL checking in its libsoup users

Ludwig Nussel ludwig.nussel at suse.de
Tue May 8 14:46:27 CEST 2012


Richard Moore wrote:
> On 7 May 2012 06:25, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
> [...]
>> Moreover, a standard certificate bundle is not helpful at all, if it
>> doesn't mention for which purpose those certificates are trusted. Are
>> they trusted to certify stmp servers? incoming e-mail? web?
> 
> This limitation is true. Openssl doesn't really have support for that concept.

It supports similar trust settings like NSS though. Check the -addtrust
parameter of "openssl x509".

> [...]
> In Qt, we search the following directories (see
> https://qt.gitorious.org/qt/qtbase/blobs/master/src/network/ssl/qsslsocket.cpp#line2389):
> 
> <<  "/etc/ssl/certs/" // (K)ubuntu, OpenSUSE, Mandriva, MeeGo ...
> << "/usr/lib/ssl/certs/" // Gentoo, Mandrake
> << "/usr/share/ssl/" // Centos, Redhat, SuSE
> << "/usr/local/ssl/" // Normal OpenSSL Tarball
> << "/var/ssl/certs/" // AIX
> << "/usr/local/ssl/certs/" // Solaris
> << "/opt/openssl/certs/"; // HP-UX

What's the reason why you hardcode that list yourself instead of calling
SSL_CTX_set_default_verify_paths()?

>> Are there ways to identify the trust purpose of those certificates?
>> Is there any intention to standardize something like that, so we don't
>> end up with our own trust?
> 
> All the certs are trusted for all purposes in this scheme (subject to
> the keyusage flags they contain).

$ openssl x509 -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -out t.pem
$ openssl s_client -connect build.opensuse.org:443 -CAfile t.pem < /dev/null
[...]
    Verify return code: 0 (ok)

$ openssl x509 -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -out t.pem -addtrust emailProtection
$ openssl s_client -connect build.opensuse.org:443 -CAfile t.pem < /dev/null
[...]
    Verify return code: 2 (unable to get issuer certificate)

$ openssl x509 -in /etc/ssl/certs/DigiCert_High_Assurance_EV_Root_CA.pem -out t.pem -addtrust serverAuth
$ openssl s_client -connect build.opensuse.org:443 -CAfile t.pem < /dev/null
[...]
    Verify return code: 0 (ok)

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 




More information about the Gnutls-help mailing list