[Bug 63810] New: idle basically doesn't validate SSL/TLS certificates

Mon Apr 22 19:46:04 CEST 2013

https://bugs.freedesktop.org/show_bug.cgi?id=63810

          Priority: medium
            Bug ID: 63810
                CC: will.thompson at collabora.co.uk
          Assignee: simon.mcvittie at collabora.co.uk
           Summary: idle basically doesn't validate SSL/TLS certificates
        QA Contact: telepathy-bugs at lists.freedesktop.org
          Severity: major
    Classification: Unclassified
                OS: All
          Reporter: simon.mcvittie at collabora.co.uk
          Hardware: Other
            Status: ASSIGNED
           Version: git master
         Component: idle
           Product: Telepathy

telepathy-idle 0.0.4 (the code-drop from Sourceforge) didn't validate TLS
certificates:

> /* TODO sometime in the future implement certificate verification */

telepathy-idle 0.1.11 moved it from OpenSSL to GIO TLS, but still didn't
validate certificates, in order to make the regression tests work (Bug #37145):

>    """
>    The first one allows self-signed certificates, while the other two are
>    needed to satisfy the certificate used in the test suite. Once
>    Channel.Type.ServerTLSConnection is implemented we will see if we can
>    restore these checks.
>    """
>
> g_socket_client_set_tls_validation_flags(priv->socket_client,
>	G_TLS_CERTIFICATE_VALIDATE_ALL
>	& ~G_TLS_CERTIFICATE_UNKNOWN_CA
>	& ~G_TLS_CERTIFICATE_BAD_IDENTITY
>	& ~G_TLS_CERTIFICATE_EXPIRED);

If the regression tests need to turn off cert validation, this should not be at
the expense of being insecure during normal usage.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.