Florian Weimer of the Red Hat Product Security Team reported that x3270 did not properly validate SSL certificates. If pr3270 connects to a host that has a mismatched hostname in the certificate, it does not warn that there is a problem with the certificate.
For instance if bad.ssl.host points to the same IP as good.ssl.host, and it has an HTTPS certificate with the hostname for good.ssl.host:
$ gnutls-cli bad.ssl.host; echo $?
- The hostname in the certificate does NOT match 'bad.ssl.host'
$ pr3287 L:bad.ssl.host:443; echo $?
Later versions of x3270 introduced certificate chain validation, but the SSL validation support is incomplete, as was demonstrated above (pr3287 will not complain in such a case).
The version of x3270 as provided with Red Hat Enterprise Linux 6 (3.3.6) uses the system root CA store in /etc/pki/tls/cert.pem, with no way of overriding it. The version as provided with Fedora 17 (3.3.12ga7) on the other hand does provide the -cadir and -cafile options that allow it to be overridden.
Version 3.3.12 is the first version that actually started doing SSL certificate verification.
Not vulnerable. This issue did not affect the versions of x3270 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for SSL certificate verification.
Paul, I've assigned a CVE name to this issue (CVE-2012-5662), which would be ideal to use in any upstream commits for a fix. Likewise, as this is not yet public we would like to coordinate a release date once we have a patch, so that we can inform other vendors prior to making any public commits, releases, or opening this bug up.
Public now and updated upstream packages are available:
Created x3270 tracking bugs for this issue
Affects: fedora-all [bug 924183]