Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

document or implement lack of hostname verification #161

Open
johannesboon opened this issue May 20, 2020 · 1 comment
Open

document or implement lack of hostname verification #161

johannesboon opened this issue May 20, 2020 · 1 comment

Comments

@johannesboon
Copy link

johannesboon commented May 20, 2020
edited
Loading

Luasec, although the name suggests otherwise seems not very secure by default as it will gladly accept server certificates with any hostname.

Please consider this ancient paper:

The Most Dangerous Code in the World:
Validating SSL Certificates in Non-Browser Software

And maybe start using the (in OpenSSL 1.1 introduced) function X509_VERIFY_PARAM_set1_host to verify the hostnames from Subject Alternative Name. Although there are some functions available also since in OpenSSL 1.0.2, see: OpenSSL website Wiki for Hostname Validation

Or at least document the limitations of the current verification and the implications they might have.

Or maybe something based on this pull request:

#49
@johannesboon johannesboon changed the title document or implement lack of hostname er document or implement lack of hostname verification May 20, 2020
@ziz57
Copy link

ziz57 commented Jun 15, 2024

What's the situation with this? Are clients using luasec expected to do their own hostname verification?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@johannesboon @ziz57