Opened 8 months ago

Last modified 8 months ago

#1319 new defect

Critical security flaw: TLS (SSL) cert chain processing is made without using a proxy, directly from the app

Reported by: an809512 Owned by: ghazan
Priority: critical Milestone: 0.95
Component: core Version: 0.95.6
Severity: bug Keywords: security, ssl, tls, flaw, openssl
Cc:

Description (last modified by an809512)

There is a critical security flaw: TLS (SSL) certificate chain processing is made without using a proxy settings, but directly from the app!

I had checked that with a network analyzer and firewall with very stricted rules.

Miranda NG: v0.95.6 Build 17355
OS: Windows XP, OpenSSL.dll plugin (but I'm sure, this is not important)

I have settings for Jabber:
[ ] Use SSL [x] Use TL

Main settings for Network:
[x] Use proxy server: SOCKS5 / 127.0.0.1:9150 (TOR)
[x] Resolve hostnames through proxy
[x] Validate SSL certificates (I think this is important for reproducing the bug)

And when Miranda tries to connect to the server, it tries directly (without proxy server) connect to CA to checkout received certificates. It is a VERY CRITICAL SECURITY FLAW, because it is possible to understand who and where is connected.

All chain processing and validating must be through proxy too!

Here is a log (I had denied direct connections without proxy, so validation process is failed, so connection is failed too).

From the location: "Starting TLS... / Starting SSL negotiation / SSL established with ECDHE-RSA-AES256-GCM-SHA384"
it is tring to connect directly for CA-chain!

[4:12:35 0550] [Jabber] _xmpp-client._tcp.jabbim.sk resolved to lb.jabb.im:5222
[4:12:35 0550] [Jabber] Connection request to lb.jabb.im:5222 (Flags 0)....
[4:12:35 0550] [Jabber] (00A44C30) Connecting to proxy 127.0.0.1:9150 for lb.jabb.im:5222 ....
[4:12:35 0550] [Jabber] (00A44C30) Connecting to ip 127.0.0.1:9150 ....
[4:12:35 0550] [Jabber] (00A44C30:1204) Data sent (proxy)
00000000: 05 01 00 ...
[4:12:35 0550] [Jabber] (00A44C30:1204) Data received (proxy)
00000000: 05 00 ..
[4:12:35 0550] [Jabber] (00A44C30:1204) Data sent (proxy)
00000000: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx .....lb.jabb.im.
00000010: xx x
[4:12:42 0550] [Jabber] (00A44C30:1204) Data received (proxy)
00000000: 05 00 00 01-00 .....
[4:12:42 0550] [Jabber] (00A44C30:1204) Data received (proxy)
00000000: 00 00 00 00-00 .....
[4:12:42 0550] [Jabber] (1204) Connected to lb.jabb.im:5222
[4:12:42 0550] [Jabber] Thread type=0 server='lb.jabb.im' port='5222'
[4:12:42 0550] [Jabber] Stream is initializing after connect
[4:12:42 0550] [Jabber] (00A44C30:1204) Data sent
<?xml version="1.0" encoding="UTF-8"?><stream:stream xmlns="jabber:client" to="jabbim.sk" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="en" version="1.0">
[4:12:42 0550] [Jabber] Entering main recv loop
[4:12:42 0550] [Jabber] (00A44C30:1204) Data received
<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='xxxxxxxxxxxxxxxxxxxx' from='jabbim.sk' version='1.0' xml:lang='en'>
[4:12:42 0550] [Jabber] recvResult = 177
[4:12:42 0550] [Jabber] bytesParsed = 177
[4:12:42 0550] [Jabber] (00A44C30:1204) Data received
<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='xxxxxxxxxxxxxxxxxxxxxxxxxxxx'/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>
[4:12:42 0550] [Jabber] recvResult = 246
[4:12:42 0550] [Jabber] bytesParsed = 246
[4:12:42 0550] [Jabber] Requesting TLS
[4:12:42 0550] [Jabber] (00A44C30:1204) Data sent
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
[4:12:42 0550] [Jabber] (00A44C30:1204) Data received
<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
[4:12:42 0550] [Jabber] recvResult = 50
[4:12:42 0550] [Jabber] bytesParsed = 50
[4:12:42 0550] [Jabber] Starting TLS...
[4:12:42 0550] [Jabber] (1204 jabbim.sk) Starting SSL negotiation
[4:12:43 0550] SSL established with ECDHE-RSA-AES256-GCM-SHA384
[4:12:43 0550] SSL connection failure(800b0109 315) :A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
[4:12:43 0550] [Jabber] (1204 jabbim.sk) Failure to negotiate SSL connection
[4:12:43 0550] [Jabber] SSL initialization failed
[4:12:43 0550] [Jabber] (00A44C30:1204) Data sent
</stream:stream>
[4:12:43 0550] [Jabber] Netlib_Recv() failed, error=10058
[4:12:43 0550] [Jabber] recvResult = 0
[4:12:43 0550] [Jabber] 1
[4:12:43 0550] [Jabber] 2
[4:12:43 0550] [Jabber] Thread ended: type=0 server='jabbim.sk'
[4:12:43 0550] [Jabber] (00A44C30:1204) Connection closed internal
[4:12:43 0550] [Jabber] (00A44C30:4294967295) Connection closed
[4:12:43 0550] [Jabber] Exiting ServerThread?

Change History (1)

comment:1 Changed 8 months ago by an809512

  • Description modified (diff)
  • Keywords flaw added; flow removed
  • Summary changed from Critical security flow: TLS (SSL) cert chain processing is made without using a proxy, directly from the app to Critical security flaw: TLS (SSL) cert chain processing is made without using a proxy, directly from the app
Note: See TracTickets for help on using tickets.