Bug 864897 - ssmtp: Does not validate server certificates when using TLS connection [fedora-all]
ssmtp: Does not validate server certificates when using TLS connection [fedor...
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: ssmtp (Show other bugs)
23
All Linux
medium Severity medium
: ---
: ---
Assigned To: manuel wolfshant
Fedora Extras Quality Assurance
fst_owner=pjp, fst_ping=1
: Reopened, Security, SecurityTracking
Depends On: 1160172
Blocks: 864894
  Show dependency treegraph
 
Reported: 2012-10-10 07:00 EDT by Jan Lieskovsky
Modified: 2016-11-24 05:49 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-01 14:22:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-10-10 07:00:36 EDT
This is an automatically created tracking bug!  It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.

For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.

For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs

When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs).  Please mention the CVE IDs being fixed
in the RPM changelog when available.

Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=864894

Please note: this issue affects multiple supported versions of Fedora.
Only one tracking bug has been filed; please ensure that it is only closed
when all affected versions are fixed.

[bug automatically created by: add-tracking-bugs]
Comment 1 Fedora Update System 2012-10-13 00:32:54 EDT
ssmtp-2.64-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/ssmtp-2.64-5.fc18
Comment 2 Fedora Update System 2012-10-13 20:24:03 EDT
ssmtp-2.61-19.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ssmtp-2.61-19.fc17
Comment 3 Fedora Update System 2012-10-31 21:20:37 EDT
ssmtp-2.61-19.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2012-11-08 00:44:55 EST
ssmtp-2.64-5.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Till Maas 2013-07-18 07:58:40 EDT
see bug 864894
Comment 6 Fedora End Of Life 2013-08-01 14:22:41 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 7 Vincent Danen 2013-10-23 17:25:05 EDT
This is not fully fixed.  See https://bugzilla.redhat.com/show_bug.cgi?id=864894#c22

Re-opening.
Comment 8 pjp 2014-11-01 04:48:21 EDT
  -> https://bugzilla.redhat.com/show_bug.cgi?id=864894#c24

It seems the fix depends on Openssl 1.1 being used. Current F20 version is 1.0.1.

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Does it mean that this bug can not be fixed for now? If so, maybe it's better to close this bug as WONTFIX.

 -> http://www.openwall.com/lists/oss-security/2012/10/11/7

Second, since this issue is designated as a non-security one, it'll help to treat this bug as a bug fix or a RFE, rather than a security fix.
Comment 9 Till Maas 2014-11-01 05:32:17 EDT
(In reply to pjp from comment #8)

>  -> http://www.openwall.com/lists/oss-security/2012/10/11/7
> 
> Second, since this issue is designated as a non-security one, it'll help to
> treat this bug as a bug fix or a RFE, rather than a security fix.

In Fedora, ssmtp was patched to claim that it supports certificate validation, therefore in Fedora it is a security vulnerability.
Comment 10 manuel wolfshant 2014-11-02 02:44:50 EST
 I would be more than happy to patch ssmtp if I had a working patch. But...is there a way to do that, given that openssl does not support the needed features ?
Comment 11 pjp 2014-11-02 04:42:59 EST
  Hello Manuel,

(In reply to manuel wolfshant from comment #10)
>  I would be more than happy to patch ssmtp if I had a working patch.
> But...is there a way to do that, given that openssl does not support the
> needed features ?

  I came across these two patches by Mr W Trevor Kind [1]

 -> https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=0003-Validate-the-server-certificate-when-using-TLS.patch;att=1;bug=662960

 -> https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=0001-Add-TLSKey-option-for-separate-key-and-certificate-f.patch;att=1;bug=662958

Not sure if they address the issue neatly, if not, maybe it would help to get in touch with Mr Trevor for a discussion.

--
[1] http://blog.tremily.us/posts/sSMTP/
Comment 12 Till Maas 2014-11-02 05:00:28 EST
(In reply to pjp from comment #11)
>   Hello Manuel,
> 
> (In reply to manuel wolfshant from comment #10)
> >  I would be more than happy to patch ssmtp if I had a working patch.
> > But...is there a way to do that, given that openssl does not support the
> > needed features ?
> 
>   I came across these two patches by Mr W Trevor Kind [1]
> 
>  ->
> https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=5;filename=0003-Validate-
> the-server-certificate-when-using-TLS.patch;att=1;bug=662960
> 
>  ->
> https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=0001-Add-
> TLSKey-option-for-separate-key-and-certificate-f.patch;att=1;bug=662958

These are the (faulty) patches the Fedora the Fedora patch is based on:
http://pkgs.fedoraproject.org/cgit/ssmtp.git/tree/ssmtp-validate-TLS-server-cert.patch

> Not sure if they address the issue neatly, if not, maybe it would help to
> get in touch with Mr Trevor for a discussion.

It was already reported in Debian Bugzilla, that one of the patches is faulty:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662960#12

Nevertheless, the Fedora patch only ensures that the certificate is signed by the proper CA (this is also what the original patches try to achieve), but they do not ensure that the certificate is actually issued for the server in question. i.e. by verifying the common name agains the host name. This can be easily done with OpenSSL 1.1, but older releases require to do this in the application. Therefore the code from OpenSSL 1.1 needs to be back ported to the older OpenSSL in Fedora or into ssmtp itself.
Comment 13 pjp 2014-11-02 05:08:17 EST
  Hello Till,

(In reply to Till Maas from comment #12)
> Nevertheless, the Fedora patch only ensures that the certificate is signed
> by the proper CA (this is also what the original patches try to achieve),
> but they do not ensure that the certificate is actually issued for the
> server in question. i.e. by verifying the common name agains the host name.
> This can be easily done with OpenSSL 1.1, but older releases require to do
> this in the application. Therefore the code from OpenSSL 1.1 needs to be
> back ported to the older OpenSSL in Fedora or into ssmtp itself.

  I see. Thank you so much for the explanation, I appreciate it.

But then if ssmtp requires OpenSSL to provide some functionality in OpenSSL version 1.0.1e, maybe we need to open a bug against OpenSSL requesting for the same and make this bug depend on that one. OR is such a bug already open?

Idea is to take small steps towards meaningfully closing these bugs, which have been open for more than two years now.

In case if we can not do that, close these bugs as WONTFIX with a due commentary about why it can not be fixed.
Comment 14 pjp 2014-11-04 04:01:00 EST
(In reply to pjp from comment #13)
> But then if ssmtp requires OpenSSL to provide some functionality in OpenSSL
> version 1.0.1e, maybe we need to open a bug against OpenSSL requesting for
> the same and make this bug depend on that one. OR is such a bug already open?

Please see -> https://bugzilla.redhat.com/show_bug.cgi?id=1160172

@Manuel, in case openssl folks decline the RFE, the only option would be to do it in ssmtp.
Comment 15 manuel wolfshant 2014-11-04 04:09:38 EST
Well.. given https://bugzilla.redhat.com/show_bug.cgi?id=1160172#c1 I guess we need a kind soul to create a patch for ssmtp, as I quit programming 15 years ago.

All I can do for now is to add a warning in the readme file.
Comment 16 pjp 2014-11-04 07:18:55 EST
(In reply to manuel wolfshant from comment #15)
> Well.. given https://bugzilla.redhat.com/show_bug.cgi?id=1160172#c1 I guess
> we need a kind soul to create a patch for ssmtp, as I quit programming 15
> years ago.

  Oh, interesting. Well in that case, at least let the upstream know about it. Also maybe you could ask for a kind soul by publicizing this requirement, via a blog or writing to the fedora-devel and upstream devel mailing lists etc. I'll also blog about it. Worst case we'll close this issue citing insufficient manpower.

> All I can do for now is to add a warning in the readme file.

  I think it is already documented by upstream, no?

 -> https://bugzilla.redhat.com/show_bug.cgi?id=864897#c9
Comment 17 pjp 2014-11-04 07:55:17 EST
The RFE has been closed saying - it is unlikely that it'll be fixed upstream.

  -> https://bugzilla.redhat.com/show_bug.cgi?id=1160172#c5
Comment 18 pjp 2014-11-05 07:48:39 EST
@manual: Where is the upstream ssmtp sources?

I came across this Debian repository but it's untouched since long.

  -> http://anonscm.debian.org/cgit/ssmtp/ssmtp.git

Is the upstream project alive at all?
Comment 19 manuel wolfshant 2014-11-05 08:00:02 EST
The project is very much alive and Mr. Anibal Monsalve Salazar, the maintainer is a very nice person.
As of sources: I started from the official packages included in Debian (ftp://ftp.debian.org/debian/pool/main/s ) and added patches from several bug trackers ( debian, gentoo ) and also custom Fedora ones ( for instance even Mr. Till Maas provided some ).

PS: ManuEl not ManuAl :)
Comment 20 pjp 2014-11-05 08:14:54 EST
(In reply to manuel wolfshant from comment #19)
> The project is very much alive and Mr. Anibal Monsalve Salazar, the
> maintainer is a very nice person.

  Great!

> As of sources: I started from the official packages included in Debian
> (ftp://ftp.debian.org/debian/pool/main/s ) and added patches from several
> bug trackers ( debian, gentoo ) and also custom Fedora ones ( for instance
> even Mr. Till Maas provided some ).

  I see, okay.
 
> PS: ManuEl not ManuAl :)

  Yes, I realised it after posting it, sorry about that. :)

I'm going to send this patch requirement to a student's list, inviting them to write the patch if they find it interesting. I'll CC you on the email, hope that is okay.

Thank you.
Comment 21 pjp 2015-04-09 13:27:18 EDT
Hello wolfy@nobugconsulting.ro,

You plan to fix this soon?
Comment 22 manuel wolfshant 2015-04-09 17:58:44 EDT
@pjp: as soon as you or any of your students (or anyone else actually) provide a working patch
Comment 23 Fedora End Of Life 2015-05-29 04:47:39 EDT
This message is a reminder that Fedora 20 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 20. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '20'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 20 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 24 pjp 2015-05-29 05:25:52 EDT
  Hello Manuel,

(In reply to manuel wolfshant from comment #22)
> @pjp: as soon as you or any of your students (or anyone else actually)
> provide a working patch

  Yes, that did not quite work out well. So far no-one has come up with a patch.
Considering F20 is nearing its end, there is no patch in sight, creating an upstream patch is not straightforward(BZ#1160172), and nobody is working towards that, I think it's time to close this as wontfix/cantfix or eol.
Comment 25 manuel wolfshant 2015-05-29 05:29:27 EDT
I prefer to see the existence of this bug in "open" state as a call for help so, since it affects all versions of Fedora I updated the release (so that the bug does not get automatically closed).
I still have hope that someone might step in and help.
Comment 26 Fedora End Of Life 2015-11-04 10:32:31 EST
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 27 Fedora End Of Life 2016-11-24 05:49:54 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Note You need to log in before you can comment on or make changes to this bug.