Net::HTTPS Vulnerability

A vulnerability on the net/https library was reported.

Detailed information should be found at the original advisory: <URL:http://www.isecpartners.com/advisories/2007-006-rubyssl.txt>

Impact

The vulnerability exists in the connect method within http.rb file which fails to call post_connection_check after the SSL connection has been negotiated. Since the server certificate's CN is not validated against the requested DNS name, the attacker can impersonate the target server in a SSL connection. The integrity and confidentiality benefits of SSL are thereby eliminated.

Vulnerable versions

1.8 series
  • 1.8.4 and all prior versions
  • 1.8.5-p113 and all prior versions
  • 1.8.6-p110 and all prior versions
Development version (1.9 series)
All versions before 2006-09-23

Solution

1.8 series

Please upgrade to 1.8.6-p111 or 1.8.5-p114.

Then you should use Net::HTTP#enable_post_connection_check= to enable post_connection_check.

http = Net::HTTP.new(host, 443)
http.use_ssl = true
http.enable_post_connection_check = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
http.start {
  response = http.get("/")
}

Please note that a package that corrects this weakness may already be available through your package management software.

Development version (1.9 series)
Please update your Ruby to a version after 2006-09-23. The default value of Net::HTTP#enable_post_connection_check is true on Ruby 1.9.

Changes

  • 2007-10-04 16:30 +09:00 added description for enable_post_connection_check to `Solution'.