[Users] [Bug 2718] New: Certification code path review
noreply at thewildbeast.co.uk
noreply at thewildbeast.co.uk
Sun Aug 5 17:59:46 CEST 2012
http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2718
Summary: Certification code path review
Product: Claws Mail
Version: 3.8.1
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P3
Component: Other
AssignedTo: users at lists.claws-mail.org
ReportedBy: dominique-claws-mail at leuenberger.net
A security review came up with this result:
1. claws_ssl_get_cert_file() doesn't try any existing bundle file so
the included bundle isn't used either
2. the return value of gnutls_certificate_verify_peers2() isn't
used. Instead claws always runs into the code path for
self-signed certificates (ie prompts for confirm)
3. claws does not call gnutls_x509_crt_check_hostname() which would
make it prone to MITM. Due to 2) that's not a problem though.
--
Configure bugmail: http://www.thewildbeast.co.uk/claws-mail/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the Users
mailing list