Konqueror / kio_http does not check connection host name against names in SSL certificate correctly. Besides accepting certificates that have user-supplied host name listed as Common Name or one of the Subject Alternate Names, it also also treats certificate as matching requested side if the certificate was issued for an IP address user-specified host name resolved to. An attacker able to hijack or poison victim's DNS can use this flaw to perform MITM attack against victim's SSL connections.
The problem seems to be in KIO::TCPSlaveBase. TCPSlaveBase::connectToHost resolves host name to IP address(es) and uses IP to connect using QSslSocket. This is expected to result in HostNameMismatch certificate verification error, hence TCPSlaveBase::startTLSInternal implements its own custom host <-> certificate name checking. However, when server certificate was issued for the IP used to connect, no HostNameMismatch error is reported and the certificate is accepted as matching requested host.
Created attachment 452097 [details] Possible fix Possible fix for this issue. It has to be applied after wildcard handling fixes mentioned in bug #630063, comment #17. Review appreciated.
(In reply to comment #3) > Possible fix for this issue. It has to be applied after wildcard handling > fixes mentioned in bug #630063, comment #17. Review appreciated. Now committed in upstream git: https://projects.kde.org/projects/kde/kdelibs/repository/revisions/23621737060e4df0fba238c25fb5b65f81181971 Required previous commit after upstream SVN->git migration: https://projects.kde.org/projects/kde/kdelibs/repository/revisions/078eba4692a0fcf29de077db3972bf56a1702ae2
Patch is included in kdelibs 4.6.1.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0464 https://rhn.redhat.com/errata/RHSA-2011-0464.html