[Users] [Bug 2718] New: Certification code path review

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Sun Aug 5 17:59:46 CEST 2012


           Summary: Certification code path review
           Product: Claws Mail
           Version: 3.8.1
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Other
        AssignedTo: users at lists.claws-mail.org
        ReportedBy: dominique-claws-mail at leuenberger.net

A security review came up with this result:

1. claws_ssl_get_cert_file() doesn't try any existing bundle file so
   the included bundle isn't used either
2. the return value of gnutls_certificate_verify_peers2() isn't
   used. Instead claws always runs into the code path for
   self-signed certificates (ie prompts for confirm)
3. claws does not call gnutls_x509_crt_check_hostname() which would
   make it prone to MITM. Due to 2) that's not a problem though.

Configure bugmail: http://www.thewildbeast.co.uk/claws-mail/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Users mailing list