[Haskell-cafe] [ANN] tls-extra 0.6.1 - security update, please upgrade.

Alexander Kjeldaas alexander.kjeldaas at gmail.com
Sun Jan 20 20:27:07 CET 2013

On Sun, Jan 20, 2013 at 6:50 AM, Vincent Hanquez <tab at snarc.org> wrote:

> Hi cafe,
> this is a security advisory for tls-extra < 0.6.1 which are all vulnerable
> to bad
> certificate validation.
> Some part of the certificate validation procedure were missing (relying on
> the
> work-in-progress x509 v3 extensions), and because of this anyone with a
> correct
> end-entity certificate can issue certificate for any arbitrary domain, i.e.
> acting as a CA.
> This problem has been fixed in tls-extra 0.6.1, and I advise everyone to
> upgrade as
> soon as possible.
> Despite a very serious flaw in the certificate validation, I'm happy that
> the
> code is seeing some audits, and would want to thanks Ertugrul Söylemez for
> the
> findings [1].
> [1] https://github.com/vincenthz/hs-tls/issues/29
Regarding testing, it looks like the Tests directory hasn't been updated to
cover this bug.  What would really give confidence is a set of tests
encoding fixed security vulnerabilities in OpenSSL (and similar libraries).
 That should also give you a lot of confidence in your library.

But anyways, this is fantastic work you're doing.  Keep it up!


> --
> Vincent
> _______________________________________________
> Haskell-Cafe mailing list
> Haskell-Cafe at haskell.org
> http://www.haskell.org/mailman/listinfo/haskell-cafe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/haskell-cafe/attachments/20130120/296eb674/attachment.htm>

More information about the Haskell-Cafe mailing list