Posted by Shugo Maeda on 4 Oct 2007
A vulnerability on the net/https library was reported.
Detailed information should be found at the original advisory: <URL:http://www.isecpartners.com/advisories/2007-006-rubyssl.txt>
Impact
The vulnerability exists in the connect method within http.rb file which fails to call post_connection_check after the SSL connection has been negotiated. Since the server certificate's CN is not validated against the requested DNS name, the attacker can impersonate the target server in a SSL connection. The integrity and confidentiality benefits of SSL are thereby eliminated.
Vulnerable versions
- 1.8 series
-
- 1.8.4 and all prior versions
- 1.8.5-p113 and all prior versions
- 1.8.6-p110 and all prior versions
- Development version (1.9 series)
- All versions before 2006-09-23
Solution
- 1.8 series
-
Please upgrade to 1.8.6-p111 or 1.8.5-p114.
- <URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p111.tar.gz>
- <URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p114.tar.gz>
Then you should use Net::HTTP#enable_post_connection_check= to enable post_connection_check.
http = Net::HTTP.new(host, 443) http.use_ssl = true http.enable_post_connection_check = true http.verify_mode = OpenSSL::SSL::VERIFY_PEER store = OpenSSL::X509::Store.new store.set_default_paths http.cert_store = store http.start { response = http.get("/") }
Please note that a package that corrects this weakness may already be available through your package management software.
- Development version (1.9 series)
- Please update your Ruby to a version after 2006-09-23. The default value of Net::HTTP#enable_post_connection_check is true on Ruby 1.9.
Changes
- 2007-10-04 16:30 +09:00 added description for enable_post_connection_check to `Solution'.