[Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.
Alexander Kjeldaas
alexander.kjeldaas at gmail.com
Sun Jan 20 20:27:07 CET 2013
On Sun, Jan 20, 2013 at 6:50 AM, Vincent Hanquez <tab at snarc.org> wrote:
> Hi cafe,
>
> this is a security advisory for tls-extra < 0.6.1 which are all vulnerable
> to bad
> certificate validation.
>
> Some part of the certificate validation procedure were missing (relying on
> the
> work-in-progress x509 v3 extensions), and because of this anyone with a
> correct
> end-entity certificate can issue certificate for any arbitrary domain, i.e.
> acting as a CA.
>
> This problem has been fixed in tls-extra 0.6.1, and I advise everyone to
> upgrade as
> soon as possible.
>
> Despite a very serious flaw in the certificate validation, I'm happy that
> the
> code is seeing some audits, and would want to thanks Ertugrul Söylemez for
> the
> findings [1].
>
> [1] https://github.com/vincenthz/hs-tls/issues/29
>
>
Regarding testing, it looks like the Tests directory hasn't been updated to
cover this bug. What would really give confidence is a set of tests
encoding fixed security vulnerabilities in OpenSSL (and similar libraries).
That should also give you a lot of confidence in your library.
But anyways, this is fantastic work you're doing. Keep it up!
Alexander
> --
> Vincent
>
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130120/296eb674/attachment.htm>
More information about the Haskell-Cafe
mailing list