Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • G glib-networking
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 43
    • Issues 43
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 2
    • Merge requests 2
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • glib-networking
  • Issues
  • #135
Closed
Open
Issue created May 04, 2020 by Michael Catanzaro@mcatanzaroMaintainer

(CVE-2020-13645) GTlsClientConnection silently ignores unset server identity

When the server-identity property of GTlsClientConnection is unset, the documentation says we need to fail the certificate verification with G_TLS_CERTIFICATE_BAD_IDENTITY:

If the G_TLS_CERTIFICATE_BAD_IDENTITY flag is set in “validation-flags”, this object will be used to determine the expected identify of the remote end of the connection; if “server-identity” is not set, or does not match the identity presented by the server, then the G_TLS_CERTIFICATE_BAD_IDENTITY validation will fail.

This is important because otherwise, it's easy for applications to fail to specify server identity. When server identity is missing, we check the validity of the TLS certificate but do not check if it corresponds to the expected server. That is, evil.com can present a valid certificate issued to evil.com, and we will happily accept it for paypal.com.

This was discovered in balsa#34 (closed).

Edited May 28, 2020 by Michael Catanzaro
Assignee
Assign to
Time tracking