Bug 864897
Summary: | ssmtp: Does not validate server certificates when using TLS connection [fedora-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | ssmtp | Assignee: | manuel wolfshant <manuel.wolfshant> |
Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 23 | CC: | manuel.wolfshant, opensource, pj.pandit |
Target Milestone: | --- | Keywords: | Reopened, Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | fst_owner=pjp, fst_ping=1 | ||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-12-20 12:28:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1160172 | ||
Bug Blocks: | 864894 |
Description
Jan Lieskovsky
2012-10-10 11:00:36 UTC
ssmtp-2.64-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/ssmtp-2.64-5.fc18 ssmtp-2.61-19.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/ssmtp-2.61-19.fc17 ssmtp-2.61-19.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. ssmtp-2.64-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. see bug 864894 Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. This is not fully fixed. See https://bugzilla.redhat.com/show_bug.cgi?id=864894#c22 Re-opening. -> https://bugzilla.redhat.com/show_bug.cgi?id=864894#c24 It seems the fix depends on Openssl 1.1 being used. Current F20 version is 1.0.1. $ openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 Does it mean that this bug can not be fixed for now? If so, maybe it's better to close this bug as WONTFIX. -> http://www.openwall.com/lists/oss-security/2012/10/11/7 Second, since this issue is designated as a non-security one, it'll help to treat this bug as a bug fix or a RFE, rather than a security fix. (In reply to pjp from comment #8) > -> http://www.openwall.com/lists/oss-security/2012/10/11/7 > > Second, since this issue is designated as a non-security one, it'll help to > treat this bug as a bug fix or a RFE, rather than a security fix. In Fedora, ssmtp was patched to claim that it supports certificate validation, therefore in Fedora it is a security vulnerability. I would be more than happy to patch ssmtp if I had a working patch. But...is there a way to do that, given that openssl does not support the needed features ? Hello Manuel, (In reply to manuel wolfshant from comment #10) > I would be more than happy to patch ssmtp if I had a working patch. > But...is there a way to do that, given that openssl does not support the > needed features ? I came across these two patches by Mr W Trevor Kind [1] -> https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=0003-Validate-the-server-certificate-when-using-TLS.patch;att=1;bug=662960 -> https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=0001-Add-TLSKey-option-for-separate-key-and-certificate-f.patch;att=1;bug=662958 Not sure if they address the issue neatly, if not, maybe it would help to get in touch with Mr Trevor for a discussion. -- [1] http://blog.tremily.us/posts/sSMTP/ (In reply to pjp from comment #11) > Hello Manuel, > > (In reply to manuel wolfshant from comment #10) > > I would be more than happy to patch ssmtp if I had a working patch. > > But...is there a way to do that, given that openssl does not support the > > needed features ? > > I came across these two patches by Mr W Trevor Kind [1] > > -> > https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=0003-Validate- > the-server-certificate-when-using-TLS.patch;att=1;bug=662960 > > -> > https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=0001-Add- > TLSKey-option-for-separate-key-and-certificate-f.patch;att=1;bug=662958 These are the (faulty) patches the Fedora the Fedora patch is based on: http://pkgs.fedoraproject.org/cgit/ssmtp.git/tree/ssmtp-validate-TLS-server-cert.patch > Not sure if they address the issue neatly, if not, maybe it would help to > get in touch with Mr Trevor for a discussion. It was already reported in Debian Bugzilla, that one of the patches is faulty: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662960#12 Nevertheless, the Fedora patch only ensures that the certificate is signed by the proper CA (this is also what the original patches try to achieve), but they do not ensure that the certificate is actually issued for the server in question. i.e. by verifying the common name agains the host name. This can be easily done with OpenSSL 1.1, but older releases require to do this in the application. Therefore the code from OpenSSL 1.1 needs to be back ported to the older OpenSSL in Fedora or into ssmtp itself. Hello Till, (In reply to Till Maas from comment #12) > Nevertheless, the Fedora patch only ensures that the certificate is signed > by the proper CA (this is also what the original patches try to achieve), > but they do not ensure that the certificate is actually issued for the > server in question. i.e. by verifying the common name agains the host name. > This can be easily done with OpenSSL 1.1, but older releases require to do > this in the application. Therefore the code from OpenSSL 1.1 needs to be > back ported to the older OpenSSL in Fedora or into ssmtp itself. I see. Thank you so much for the explanation, I appreciate it. But then if ssmtp requires OpenSSL to provide some functionality in OpenSSL version 1.0.1e, maybe we need to open a bug against OpenSSL requesting for the same and make this bug depend on that one. OR is such a bug already open? Idea is to take small steps towards meaningfully closing these bugs, which have been open for more than two years now. In case if we can not do that, close these bugs as WONTFIX with a due commentary about why it can not be fixed. (In reply to pjp from comment #13) > But then if ssmtp requires OpenSSL to provide some functionality in OpenSSL > version 1.0.1e, maybe we need to open a bug against OpenSSL requesting for > the same and make this bug depend on that one. OR is such a bug already open? Please see -> https://bugzilla.redhat.com/show_bug.cgi?id=1160172 @Manuel, in case openssl folks decline the RFE, the only option would be to do it in ssmtp. Well.. given https://bugzilla.redhat.com/show_bug.cgi?id=1160172#c1 I guess we need a kind soul to create a patch for ssmtp, as I quit programming 15 years ago. All I can do for now is to add a warning in the readme file. (In reply to manuel wolfshant from comment #15) > Well.. given https://bugzilla.redhat.com/show_bug.cgi?id=1160172#c1 I guess > we need a kind soul to create a patch for ssmtp, as I quit programming 15 > years ago. Oh, interesting. Well in that case, at least let the upstream know about it. Also maybe you could ask for a kind soul by publicizing this requirement, via a blog or writing to the fedora-devel and upstream devel mailing lists etc. I'll also blog about it. Worst case we'll close this issue citing insufficient manpower. > All I can do for now is to add a warning in the readme file. I think it is already documented by upstream, no? -> https://bugzilla.redhat.com/show_bug.cgi?id=864897#c9 The RFE has been closed saying - it is unlikely that it'll be fixed upstream. -> https://bugzilla.redhat.com/show_bug.cgi?id=1160172#c5 @manual: Where is the upstream ssmtp sources? I came across this Debian repository but it's untouched since long. -> http://anonscm.debian.org/cgit/ssmtp/ssmtp.git Is the upstream project alive at all? The project is very much alive and Mr. Anibal Monsalve Salazar, the maintainer is a very nice person. As of sources: I started from the official packages included in Debian (ftp://ftp.debian.org/debian/pool/main/s ) and added patches from several bug trackers ( debian, gentoo ) and also custom Fedora ones ( for instance even Mr. Till Maas provided some ). PS: ManuEl not ManuAl :) (In reply to manuel wolfshant from comment #19) > The project is very much alive and Mr. Anibal Monsalve Salazar, the > maintainer is a very nice person. Great! > As of sources: I started from the official packages included in Debian > (ftp://ftp.debian.org/debian/pool/main/s ) and added patches from several > bug trackers ( debian, gentoo ) and also custom Fedora ones ( for instance > even Mr. Till Maas provided some ). I see, okay. > PS: ManuEl not ManuAl :) Yes, I realised it after posting it, sorry about that. :) I'm going to send this patch requirement to a student's list, inviting them to write the patch if they find it interesting. I'll CC you on the email, hope that is okay. Thank you. Hello wolfy, You plan to fix this soon? @pjp: as soon as you or any of your students (or anyone else actually) provide a working patch This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Hello Manuel, (In reply to manuel wolfshant from comment #22) > @pjp: as soon as you or any of your students (or anyone else actually) > provide a working patch Yes, that did not quite work out well. So far no-one has come up with a patch. Considering F20 is nearing its end, there is no patch in sight, creating an upstream patch is not straightforward(BZ#1160172), and nobody is working towards that, I think it's time to close this as wontfix/cantfix or eol. I prefer to see the existence of this bug in "open" state as a call for help so, since it affects all versions of Fedora I updated the release (so that the bug does not get automatically closed). I still have hope that someone might step in and help. This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. This message is a reminder that Fedora 23 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 23. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '23'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 23 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |