Florian Weimer of the Red Hat Product Security Team reported that x3270 did not properly validate SSL certificates. If pr3270 connects to a host that has a mismatched hostname in the certificate, it does not warn that there is a problem with the certificate. For instance if bad.ssl.host points to the same IP as good.ssl.host, and it has an HTTPS certificate with the hostname for good.ssl.host: $ gnutls-cli bad.ssl.host; echo $? ... - The hostname in the certificate does NOT match 'bad.ssl.host' 1 vs. $ pr3287 L:bad.ssl.host:443; echo $? 0 Later versions of x3270 introduced certificate chain validation, but the SSL validation support is incomplete, as was demonstrated above (pr3287 will not complain in such a case). The version of x3270 as provided with Red Hat Enterprise Linux 6 (3.3.6) uses the system root CA store in /etc/pki/tls/cert.pem, with no way of overriding it. The version as provided with Fedora 17 (3.3.12ga7) on the other hand does provide the -cadir and -cafile options that allow it to be overridden.
Version 3.3.12 is the first version that actually started doing SSL certificate verification. Statement: Not vulnerable. This issue did not affect the versions of x3270 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for SSL certificate verification.
Paul, I've assigned a CVE name to this issue (CVE-2012-5662), which would be ideal to use in any upstream commits for a fix. Likewise, as this is not yet public we would like to coordinate a release date once we have a patch, so that we can inform other vendors prior to making any public commits, releases, or opening this bug up.
Public now and updated upstream packages are available: http://sourceforge.net/projects/x3270/files/x3270/3.3.12ga12/
Created x3270 tracking bugs for this issue Affects: fedora-all [bug 924183]