Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Implemented
    • Affects Version/s: 3.1 (end of life)
    • Fix Version/s: None
    • Component/s: HttpClient
    • Labels:
      None
    • Environment:
      All

      Description

      See.
      http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

      Using JSSE you must manually validate server name you're connecting to matches one of the names provided by the certificate. So you can detect a man-in-the-middle type attack with a valid certificado for other site.

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783

      1. CVE-2012-5783-2.patch
        12 kB
        Alberto Fernández
      2. CVE-2012-5783-testcase.patch
        2 kB
        Alberto Fernández

        Activity

        Alberto Fernández created issue -
        Hide
        Alberto Fernández added a comment -

        Patch that validates certificate DNSSubjectAlts/CN matches the server name we are trying to connect to

        Show
        Alberto Fernández added a comment - Patch that validates certificate DNSSubjectAlts/CN matches the server name we are trying to connect to
        Alberto Fernández made changes -
        Field Original Value New Value
        Attachment CVE-2012-5783.patch [ 12554704 ]
        Hide
        Oleg Kalnichevski added a comment -

        Alberto,
        HttpClient 3.x has been at the end of life for almost two years already. HC 3.x is no longer supported and maintained. If you insist, I can commit the patch without any review to the ASF repository. However, there will never be a official release from the HC 3.x code line.

        Oleg

        Show
        Oleg Kalnichevski added a comment - Alberto, HttpClient 3.x has been at the end of life for almost two years already. HC 3.x is no longer supported and maintained. If you insist, I can commit the patch without any review to the ASF repository. However, there will never be a official release from the HC 3.x code line. Oleg
        Oleg Kalnichevski made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Won't Fix [ 2 ]
        Alberto Fernández made changes -
        Attachment CVE-2012-5783.patch [ 12554704 ]
        Alberto Fernández made changes -
        Attachment CVE-2012-5783-2.patch [ 12560251 ]
        Hide
        Alberto Fernández added a comment -

        Hi Oleg

        I know HttpClient 3 is EOL, but it's used widely in linux distros (basically because axis 1.4 is still used and depends on httpclient 3).

        This patch have been commited to Debian package, and it would be great if you can apply to the ASF repository, so other distros can take the fixed version from the SVN.

        The patch is a mix of : backport from httpclient 4.2, some bites from apache synapse and some refactor of my own (basically splitting in smaller functions).

        If you can also do a fast review to see if i've done a obvious mistake, i would very grateful.

        Thanks for your time and your patience

        Show
        Alberto Fernández added a comment - Hi Oleg I know HttpClient 3 is EOL, but it's used widely in linux distros (basically because axis 1.4 is still used and depends on httpclient 3). This patch have been commited to Debian package, and it would be great if you can apply to the ASF repository, so other distros can take the fixed version from the SVN. The patch is a mix of : backport from httpclient 4.2, some bites from apache synapse and some refactor of my own (basically splitting in smaller functions). If you can also do a fast review to see if i've done a obvious mistake, i would very grateful. Thanks for your time and your patience
        Alberto Fernández made changes -
        Resolution Won't Fix [ 2 ]
        Status Resolved [ 5 ] Reopened [ 4 ]
        Hide
        Oleg Kalnichevski added a comment -

        I committed the patch as is after a very cursory review. I did not attempt to compile the source or run test cases.

        Oleg

        Show
        Oleg Kalnichevski added a comment - I committed the patch as is after a very cursory review. I did not attempt to compile the source or run test cases. Oleg
        Oleg Kalnichevski made changes -
        Status Reopened [ 4 ] Resolved [ 5 ]
        Resolution Implemented [ 10 ]
        Hide
        Alberto Fernández added a comment -

        Testcase for this bug

        Show
        Alberto Fernández added a comment - Testcase for this bug
        Alberto Fernández made changes -
        Attachment CVE-2012-5783-testcase.patch [ 12561188 ]
        Hide
        Alberto Fernández added a comment -

        Hi Oleg.

        Thanks you very much.

        I've tested that the svn code compiles and passes the tests. I also have created a test case for this bug and attached it here.

        All necessary work is done, so I close the bug.

        Show
        Alberto Fernández added a comment - Hi Oleg. Thanks you very much. I've tested that the svn code compiles and passes the tests. I also have created a test case for this bug and attached it here. All necessary work is done, so I close the bug.
        Alberto Fernández made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Alberto Fernández made changes -
        Summary Insercure certificate validation CVE-2012-5783 Insecure certificate validation CVE-2012-5783

          People

          • Assignee:
            Unassigned
            Reporter:
            Alberto Fernández
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development