GNOME Bugzilla – Bug 606181
Accepting bad SSL certificate applies to any expected hostname
Last modified: 2012-10-30 11:06:15 UTC
If I accept a bad SSL certificate for a mail server, the certificate and expected hostname are saved to ~/.evolution/camel-cert.db. But then Evolution will accept the certificate for any expected hostname, not just the saved one. Thus, the first mail server can impersonate the mail servers for my other accounts. This is a big vulnerability if you care about SSL. Steps to reproduce: 1. Make up two fake hostnames and edit /etc/hosts to map them to your mail server. Alternatively, to avoid hard-coding the mail server's IP address, map them to 127.0.0.1 and set up an ssh port forward. 2. Edit your mail account to use the first fake hostname. Click "Check for Supported Types" to trigger an SSL/TLS connection. 3. When the bad certificate dialog appears, click OK. 4. Now enter the second fake hostname and click "Check for Supported Types". Actual result: The certificate is silently accepted the second time. Expected result: The certificate should not be silently accepted. Ideally, the bad certificate dialog would appear again, but it would also be secure if the connection just failed. Possible fixes: It's easy enough to make the connection fail by comparing the current expected hostname to the saved one in the "else" case of ssl_bad_cert. However, it will then be impossible to accept the same certificate for two different expected hostnames (e.g., different DreamHost domains that all present the same mail.dreamhost.com certificate), since the lookup in camel-cert.db is by fingerprint only. A more complete fix would be to look up by fingerprint and expected hostname, so that it will work to have two entries in camel-cert.db for the same certificate but different expected hostnames.
I'm going to use only the expected hostname as the key, so that there can be at most one accepted certificate for a given hostname. This is the same as Mozilla PSM. The format of camel-cert.db will not change, so there should not be any upgrade issues except that if a user was using the same certificate for multiple hostnames, a warning will be shown once for each hostname other than the one already stored in camel-cert.db (which is the point of this bug). Can I change the API in camel/camel-certdb.h freely, or is it used outside evolution-data-server? I don't think it is but I want to make sure.
Created attachment 170061 [details] [review] Fix: lookup certificates by hostname
Created attachment 170062 [details] Test server kit (key, certificates, openssl s_server script) Here is a kit to set up a test server with one of two certificates. I tested the patched Evolution by clicking "Check for Supported Types" in the mail account editor with the two hostnames 127.0.0.1 and localhost and the server flipping back and forth between the two certificates. The patch appeared to work as intended in all cases.
I filed a bug against Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=637433 This bug is like CVE-2008-2809 in Mozilla applications, except the certificate is accepted for any hostname whatsoever, not just the ones listed in the certificate. A mitigating factor is that a user typically uses a few hand-picked mail servers, which are less likely to be malicious than a random web site for which he/she might be persuaded to accept a bad certificate. Improved steps to reproduce: 1. If you are not using a throwaway user account, back up ~/.evolution/camel-cert.db and ~/.camel_certs to restore after testing. 2. Get the test server kit (attached). 3. Run the test server in a terminal with "./run-server 1". 4. Start the wizard to create a new mail account, and complete the "Identity" page with dummy values. 5. On the "Receiving Email" page, set the server to "127.0.0.1:4433", choose "SSL encryption", and click "Check for Supported Types" to trigger an SSL/TLS connection. 6. When the bad certificate dialog appears, click OK. 7. Type a Ctrl-D to the server to close the connection. (Evolution will indicate failure to check the supported authentication types, which doesn't matter here.) 8. Change the server to "localhost:4433" and click "Check for Supported Types" again. 9. When you are finished testing, cancel out of the wizard and if applicable, exit Evolution and restore ~/.evolution/camel-cert.db and ~/.camel_certs . Actual results: The certificate is silently accepted in step 8. Expected results: The bad certificate dialog should appear again.
Created attachment 194734 [details] [review] Fix: lookup certificates by hostname (regenerated against gnome-3-0 2011-08-24)
Created attachment 202164 [details] [review] Fix: lookup certificates by hostname (regenerated against gnome-3-2 2011-11-16)
Thanks for a bug report, but I cannot reproduce this neither on 3.2.2 nor 3.3.2. What I did: a) downloaded your test suit b) remove ~/.camel_certs and ~/.local/share/evolution/camel-cert.db c) begin adding a new IMAP account 127.0.0.1:4433 with SSL and user name d) ./run_server 1 e) "Check supported types" in account dialog, which brings bad certificate dialog for the first certificate. I click OK. And then cancel the pending request. f) stop server 1 and ./run_server 2 g) "Check supported types" and I see a certificate question with the second certificate, as expected. Relying on fingerprints is correct, because the fingerprint is a unique identifier of the certificate. In step e), immediately after user clicks "OK", the certificate is saved into camel's certificate database and onwards is treated as known and accepted by user, thus no other question is done for it. The second server has different fingerprint, thus it asks again.
(In reply to comment #7) > f) stop server 1 and ./run_server 2 This is not part of the procedure to reproduce (comment #4). Instead, please change the server name in Evolution to "localhost:4433" and then "Check for Supported Types" again. Evolution detects certificate /changes/ correctly in all cases. The bug is that if I accept a bad certificate for one hostname, the /same/ certificate will automatically be accepted for all other hostnames. So if I accept a bad certificate for my ISP's mail server "mail.isp.com", the ISP can then use that certificate to intercept my connections to "mail.other.com". The patch makes certificate overrides specific to the hostname, as they are in Mozilla PSM.
Oh, I'm sorry, I didn't follow your steps closely, didn't read them carefully. By the way, the host name as user writes it in UI may not be accurate, there should be used IP which is behind this host name, as it's the real identification of the server. Shouldn't it? It breaks your steps, but still should work. I noticed a disabled code in the camel-tcp-stream-ssl.c:ssl_bad_cert(), which seems to handle certain cases in detail, including the SSL_ERROR_BAD_CERT_DOMAIN error, thus, enable it and polish the code should do this in the right way. Maybe?
(In reply to comment #9) > By the way, the host name as user writes it in UI may not be accurate, there > should be used IP which is behind this host name, as it's the real > identification of the server. Shouldn't it? No, universal current practice is to match the hostname exactly as the user entered it. This is not the place to consider changes to that design. > I noticed a disabled code in the > camel-tcp-stream-ssl.c:ssl_bad_cert(), which seems to handle certain cases in > detail, including the SSL_ERROR_BAD_CERT_DOMAIN error, thus, enable it and > polish the code should do this in the right way. Maybe? No. This bug has nothing to do with SSL_ERROR_BAD_CERT_DOMAIN. SSL_ERROR_BAD_CERT_DOMAIN means that the name /in the certificate/ doesn't match the requested hostname. This bug is about a bad certificate being accepted even though the name /for which the user previously accepted the certificate/ doesn't match the requested hostname; the reason why the certificate was bad for the previous hostname is immaterial. The CERT_AddOKDomainName call might look a little bit like what we want, but it is not persistent and applies only to the server name check, whereas what we want is to mark the certificate as acceptable for a specific hostname regardless of what stage of the normal SSL_AuthCertificate failed, like Mozilla PSM has done since Firefox 3.
OK, I retested this and it works as you said. Let's add it in for 3.5.1.
Matt, I have one concern here, the hostname is case insensitive by default, but we compare it case sensitively. Might it make sense to use case-insensitive compare, also for CamelCertDB::cert_hash hast table?
I added there the case insensitive compare on hostnames, with a note in the commit log too. We missed 3.5.1, but: Created commit aa31c2a in eds master (3.5.2+)
This has a regression filled as bug #681962.