Bug 889373 (CVE-2012-5662) - CVE-2012-5662 x3270: does not properly validate SSL certificates
Summary: CVE-2012-5662 x3270: does not properly validate SSL certificates
Alias: CVE-2012-5662
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 924183 980316
Blocks: 889374
TreeView+ depends on / blocked
Reported: 2012-12-21 00:18 UTC by Vincent Danen
Modified: 2021-10-19 21:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2021-10-19 21:58:13 UTC

Attachments (Terms of Use)

Description Vincent Danen 2012-12-21 00:18:10 UTC
Florian Weimer of the Red Hat Product Security Team reported that x3270 did not properly validate SSL certificates.  If pr3270 connects to a host that has a mismatched hostname in the certificate, it does not warn that there is a problem with the certificate.

For instance if bad.ssl.host points to the same IP as good.ssl.host, and it has an HTTPS certificate with the hostname for good.ssl.host:

$ gnutls-cli bad.ssl.host; echo $?
- The hostname in the certificate does NOT match 'bad.ssl.host'


$ pr3287 L:bad.ssl.host:443; echo $?

Later versions of x3270 introduced certificate chain validation, but the SSL validation support is incomplete, as was demonstrated above (pr3287 will not complain in such a case).

The version of x3270 as provided with Red Hat Enterprise Linux 6 (3.3.6) uses the system root CA store in /etc/pki/tls/cert.pem, with no way of overriding it.  The version as provided with Fedora 17 (3.3.12ga7) on the other hand does provide the -cadir and -cafile options that allow it to be overridden.

Comment 1 Vincent Danen 2012-12-21 17:18:10 UTC
Version 3.3.12 is the first version that actually started doing SSL certificate verification.


Not vulnerable. This issue did not affect the versions of x3270 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for SSL certificate verification.

Comment 2 Vincent Danen 2012-12-21 17:23:20 UTC
Paul, I've assigned a CVE name to this issue (CVE-2012-5662), which would be ideal to use in any upstream commits for a fix.  Likewise, as this is not yet public we would like to coordinate a release date once we have a patch, so that we can inform other vendors prior to making any public commits, releases, or opening this bug up.

Comment 3 Stefan Cornelius 2013-03-21 10:36:40 UTC
Public now and updated upstream packages are available:

Comment 4 Stefan Cornelius 2013-03-21 10:46:52 UTC
Created x3270 tracking bugs for this issue

Affects: fedora-all [bug 924183]

Note You need to log in before you can comment on or make changes to this bug.