[FS#3465] libustream-wolfssl20200215 doesn't validate TLS server certificates

OpenWrt Bugs openwrt-bugs at lists.openwrt.org
Fri Nov 20 01:23:52 EST 2020


THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Pascal Ernster (hardfalcon) 

Attached to Project - OpenWrt/LEDE Project
Summary - libustream-wolfssl20200215 doesn't validate TLS server certificates
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - High
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - It appears that libustream-wolfssl20200215, which is used as the default TLS client implementation in current OpenWRT snapshot images, checks only if the CN or SAN in the server certificate matches the hostname, but not if the certificate was actually issue/signed by a trusted CA (thus making all other checks completely pointless) or if the certificate has expired.

On a device running the most recent OpenWRT snapshot image, all of the following three commands would be expected to fail with certificate errors, but they succeed without giving any error:

root at vr200v:/tmp# uclient-fetch -O - 'https://self-signed.badssl.com/'
root at vr200v:/tmp# uclient-fetch -O - 'https://untrusted-root.badssl.com/'
root at vr200v:/tmp# uclient-fetch -O - 'https://expired.badssl.com/'


Manually specifying the CA doesn't change the behavior, either:

root at vr200v:/tmp# uclient-fetch --ca-certificate=/rom/etc/ssl/certs/ca-certificates.crt -O - 'https://self-signed.badssl.com/'
root at vr200v:/tmp# uclient-fetch --ca-certificate=/tmp/ISRG_Root_X1.crt -O - 'https://self-signed.badssl.com/'



More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=3465

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.



More information about the openwrt-bugs mailing list