Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden ssl module against CVE-2018-8970 #77317

Closed
tiran opened this issue Mar 25, 2018 · 5 comments
Closed

Harden ssl module against CVE-2018-8970 #77317

tiran opened this issue Mar 25, 2018 · 5 comments
Assignees
@tiran
Labels
3.7 (EOL) end of life 3.8 only security fixes topic-SSL type-security A security issue

Comments

@tiran
Copy link
Member

tiran commented Mar 25, 2018

BPO 33136
Nosy @gpshead, @tiran, @epicfaace
PRs
  • bpo-33136: Harden ssl module against CVE-2018-8970 #6229
  • [3.7] bpo-33136: Harden ssl module against CVE-2018-8970 (GH-6229) #6230
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/tiran'
closed_at = <Date 2021-03-13.10:03:31.780>
created_at = <Date 2018-03-25.09:19:22.706>
labels = ['type-security', 'expert-SSL', '3.7', '3.8']
title = 'Harden ssl module against CVE-2018-8970'
updated_at = <Date 2021-03-13.10:03:31.779>
user = 'https://github.com/tiran'

    bugs.python.org fields:

    activity = <Date 2021-03-13.10:03:31.779>
actor = 'gregory.p.smith'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2021-03-13.10:03:31.780>
closer = 'gregory.p.smith'
components = ['SSL']
creation = <Date 2018-03-25.09:19:22.706>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 33136
keywords = ['patch']
message_count = 5.0
messages = ['314400', '314402', '314406', '364181', '388600']
nosy_count = 3.0
nosy_names = ['gregory.p.smith', 'christian.heimes', 'epicfaace']
pr_nums = ['6229', '6230']
priority = 'high'
resolution = 'fixed'
stage = 'commit review'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue33136'
versions = ['Python 3.7', 'Python 3.8']
    @tiran
    Copy link
    Member Author

    tiran commented Mar 25, 2018

    Since 3.7, the ssl module uses X509_VERIFY_PARAM_set1_host() to put the burden of hostname matching on OpenSSL. More specific, it calls X509_VERIFY_PARAM_set1_host(param, server_hostname, 0). The namelen=0 parameter means that OpenSSL handles server_hostname as a NUL-terminated C string.

    LibreSSL 2.7.0 added X509_VERIFY_PARAM_set1_host(), but took the implementation from BoringSSL instead of OpenSSL. The BoringSSL implementation doesn't support namelen=0. X509_VERIFY_PARAM_set1_host(param, server_hostname, 0) returns success but doesn't configure the SSL connection for hostname verification. As a result, LibreSSL 2.7.0 doesn't perform any hostname matching. All trusted certificates are accepted for just any arbitrary hostname. This misbehavior left Python 3.7 beta open to man-in-the-middle attack.

    LibreSSL 2.7.1 has fixed the issue. To harden the ssl module against, I'm also changing our implementation to use strlen() instead of 0.

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8970
    https://bugs.chromium.org/p/boringssl/issues/detail?id=30
    https://bugs.chromium.org/p/chromium/issues/detail?id=824799 (restricted for now)

    @tiran tiran added 3.7 (EOL) end of life 3.8 only security fixes labels Mar 25, 2018
    @tiran tiran self-assigned this Mar 25, 2018
    @tiran tiran added topic-SSL type-security A security issue labels Mar 25, 2018
    @tiran
    Copy link
    Member Author

    tiran commented Mar 25, 2018

    New changeset d02ac25 by Christian Heimes in branch 'master':
    bpo-33136: Harden ssl module against CVE-2018-8970 (GH-6229)
    d02ac25

    @tiran
    Copy link
    Member Author

    tiran commented Mar 25, 2018

    New changeset 2dd885e by Christian Heimes (Miss Islington (bot)) in branch '3.7':
    [3.7] bpo-33136: Harden ssl module against CVE-2018-8970 (GH-6229) (GH-6230)
    2dd885e

    @epicfaace
    Copy link
    Mannequin

    epicfaace mannequin commented Mar 14, 2020

    Can this be closed now?

    @gpshead
    Copy link
    Member

    gpshead commented Mar 13, 2021

    yes, this was fixed.

    @gpshead gpshead closed this as completed Mar 13, 2021
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @tiran tiran

    Labels
    3.7 (EOL) end of life 3.8 only security fixes topic-SSL type-security A security issue
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @gpshead @tiran