[Python-Dev] ssl module and LibreSSL CVE-2018-8970

Christian Heimes christian at python.org
Wed Apr 4 16:38:31 EDT 2018


Hi,

I like to share the story of a critical security bug with you. Contrary
to other issues in TLS/SSL, it's a story with happy ending. Nobody was
harmed. The bug was fixed before it affected the general population.


Introduction
------------

Python's ssl.match_hostname() function was a source of several CVEs and
other security bugs. After a long struggle, I decided to drop support
for old OpenSSL releases and uses a new OpenSSL method to offload host
name verification to OpenSSL. The improvement [1] eventually landed in
Python 3.7. Nowadays OpenSSL verifies host name or IP address during the
TLS/SSL handshake.

Later I discovered that LibreSSL <= 2.6 did not have
X509_VERIFY_PARAM_set1_host() [2]. We had to temporarily suspend support
for LibreSSL. About two months later, LibreSSL caught up and released
version 2.7.0 with support for the function.


The bug
-------

One day after the release of LibreSSL 2.7.0, I started to port Python
3.7 to LibreSSL. In matter of minutes I got the ssl module to compile
and work with LibreSSL. All tests were passing -- except for negative
the host name verification tests. LibreSSL was accepting all invalid
host names as correct! Python's vigorous test suite had discovered a
critical security bug in LibreSSL.

It turned out that LibreSSL copied the implementation of
X509_VERIFY_PARAM_set1_host(param, name, namelen) from BoringSSL and the
documentation from OpenSSL. BoringSSL's implementation didn't support
the special case of 0 as namelen parammeter. OpenSSL supports namelen =
0, which is interpreted as namelen=strlen(name). It is documented in
OpenSSL's man page and was even recommended on OpenSSL's wiki as
preferred way.


Happy Ending
------------

So I got in contact with LibreSSL's security team and BoringSSL's
security team [3]. Less than a day later, both libraries released fixes
for the bug [4]. Mitre has assigned CVE-2018-8970 [5] to the bug.
Disaster averted!

BoringSSL's security issue [3] contains more information. Adam Langley
lifted the restriction about an hour ago.

I like to thank Bob Beck (LibreSSL), Adam Langley (Google) and David
Benjamin (Google) for their assistance and cooperation.

Regards,
Christian

[1] https://bugs.python.org/issue31399
[2] https://github.com/libressl-portable/portable/issues/381
[3] https://bugs.chromium.org/p/chromium/issues/detail?id=824799
[4] https://www.libressl.org/releases.html
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8970



More information about the Python-Dev mailing list