8000 axTLS-based modussl: ussl.wrap_socket silently accepts invalid certificates · Issue #1862 · micropython/micropython · GitHub
[go: up one dir, main page]
Skip to content

axTLS-based modussl: ussl.wrap_socket silently accepts invalid certificates #1862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ncoghlan opened this issue Feb 28, 2016 · 6 comments
Open

axTLS-based modussl: ussl.wrap_socket silently accepts invalid certificates #1862

ncoghlan opened this issue Feb 28, 2016 · 6 comments
Labels
port-esp8266

Comments

@ncoghlan
Copy link

Investigating micropython/micropython-lib#69, I found the current SSL/TLS socket creation code at

micropython/extmod/modussl.c

Line 49 in d19e4f0

STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock) {

If I'm reading that correctly:

  1. Wrapping a socket without providing any certificate verification details results in no verification being performed;
  2. Even if verification details are provided, they're still ignored

This makes the documentation at http://docs.micropython.org/en/latest/library/ussl.html#ussl.ssl.wrap_socket thoroughly misleading, as even if the additional arguments are passed in, they won't be processed.

I realise actually implementing this will require a significant amount of work, so my request at this point would be for passing in unsupported arguments to result in a hard failure, rather than silently appearing to succeed without actually providing the claimed security guarantees.
@ncoghlan
Copy link
Author

For background on the changes that were made to CPython's default behaviour in this area: https://www.python.org/dev/peps/pep-0476/

For MicroPython, the idea of relying on the system certificate stores isn't valid (since those interfaces don't exist on embedded systems), hence the idea in micropython/micropython-lib#69 (comment) of expecting either the Mozilla cert bundle or dedicated security certificates to be available when creating HTTPS connections, and refusing to create them otherwise.

@ncoghlan ncoghlan mentioned this issue Feb 28, 2016
Closed
@danicampora
Copy link
Member

I should point out that the docs in
http://docs.micropython.org/en/latest/library/ussl.html#ussl.ssl.wrap_socket
are valid but specific to the WiPy. We should make that clear and also
separate what applies to the other ports.

On Sun, Feb 28, 2016 at 8:21 AM, ncoghlan notifications@github.com wrote:

For background on the changes that were made to CPython's default
behaviour in this area: https://www.python.org/dev/peps/pep-0476/

For MicroPython, the idea of relying on the system certificate stores
isn't valid (since those interfaces don't exist on embedded systems), hence
the idea in micropython/micropython-lib#69 (comment)
micropython/micropython-lib#69 (comment)
of expecting either the Mozilla cert bundle or dedicated security
certificates to be available when creating HTTPS connections, and refusing
to create them otherwise.


Reply to this email directly or view it on GitHub
#1862 (comment)
.

@sigmavirus24
Copy link

See also https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9365. I would argue a separate CVE should be assigned for this behaviour in micropython.

@pfalcon
Copy link
Contributor
pfalcon commented May 22, 2016

micropython/micropython-lib#69 (comment) explains that initial user story behind ussl module was "make over-zealous HTTPS services work as HTTP". Stakeholders of other user stories are welcome to share them here, gather together, and find a solution to this issue.

@pfalcon
Copy link
Contributor
pfalcon commented May 22, 2016

bca4c9e adds disclosure of cert validation behavior to the official docs. Note that this is first time docs for axTLS-based ussl module are published, 2 weeks after first release of the port where it was enabled (esp8266 port). unix port still doesn't have it enabled (something to do soon finally).

@pfalcon
Copy link
Contributor
pfalcon commented May 22, 2016

wipy is not susceptible to the issue as described (it has support for cert validation; the implementation is not open-source from the upstream vendor (TI), so cannot be audited for omissions, bugs, or backdoors).

@pfalcon pfalcon changed the title ussl.wrap_socket silently accepts invalid certificates axTLS-based modussl: ussl.wrap_socket silently accepts invalid certificates May 22, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
port-esp8266
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jonnor @sigmavirus24 @pfalcon @ncoghlan @danicampora
0