CVE-2020-13614: Axel may not verify server certificate CN/SAN/hostname (allowing SSL interception) · Issue #262 · axel-download-accelerator/axel

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Comments

It looks like Axel’s SSL’s connections do not verify server certificate hostnames. To fix this the SSL context should set a certificate callback or use SSL_set1_host to set the intended hostname.

This is an issue since it uses SSL_CTX_set_default_verify_paths and loads all root authorities from the OS. See https://wiki.openssl.org/index.php/Hostname_validation for a description of this nuance with the OpenSSL APIs.

Here is potentially insecure code
https://github.com/axel-download-accelerator/axel/blob/master/src/ssl.c#L83

[…] ssl_ctx = SSL_CTX_new(SSLv23_client_method()); if (!conf->insecure) { SSL_CTX_set_default_verify_paths(ssl_ctx); SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); } SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);

ssl = SSL_new(ssl_ctx); SSL_set_fd(ssl, fd); SSL_set_tlsext_host_name(ssl, hostname);

int err = SSL_connect(ssl); if (err <= 0) { […]

davidpolverari pushed a commit to davidpolverari/axel that referenced this issue

Aug 26, 2021

2 participants