1019975 – socat: add TLS host name checks

Bug 1019975 - socat: add TLS host name checks

Summary: socat: add TLS host name checks

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	socat
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Paul Wouters
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1019961
TreeView+	depends on / blocked

Reported:	2013-10-16 17:40 UTC by Florian Weimer
Modified:	2018-11-13 10:55 UTC (History)
CC List:	3 users (show)
Fixed In Version:	1.7.3.1-1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-11-13 10:55:44 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Florian Weimer 2013-10-16 17:40:17 UTC

Currently, socat does not print an error message when certificate does not match the host name.  This is mitigated by the fact that the system CA certificate store is not used (bug 1019964).

Host name checking probably needs to be made optional, or the check could be overridden by specifying an explicit (non-CA) certificate or its SHA-256 hash.

Comment 4 Gerhard 2015-01-24 20:31:44 UTC

This has been fixed in socat version 1.7.3.0, Socat now checks the servername(s) in the certificates.

Comment 6 Paul Wouters 2018-11-13 10:55:44 UTC

This bug is addressed by ERRATA RHBA-2017:2049-03 socat bug fix update

https://errata.devel.redhat.com/advisory/26967

Note You need to log in before you can comment on or make changes to this bug.