[Python-Dev] ssl module and LibreSSL CVE-2018-8970

Christian Heimes christian at python.org
Wed Apr 4 16:38:31 EDT 2018


I like to share the story of a critical security bug with you. Contrary
to other issues in TLS/SSL, it's a story with happy ending. Nobody was
harmed. The bug was fixed before it affected the general population.


Python's ssl.match_hostname() function was a source of several CVEs and
other security bugs. After a long struggle, I decided to drop support
for old OpenSSL releases and uses a new OpenSSL method to offload host
name verification to OpenSSL. The improvement [1] eventually landed in
Python 3.7. Nowadays OpenSSL verifies host name or IP address during the
TLS/SSL handshake.

Later I discovered that LibreSSL <= 2.6 did not have
X509_VERIFY_PARAM_set1_host() [2]. We had to temporarily suspend support
for LibreSSL. About two months later, LibreSSL caught up and released
version 2.7.0 with support for the function.

The bug

One day after the release of LibreSSL 2.7.0, I started to port Python
3.7 to LibreSSL. In matter of minutes I got the ssl module to compile
and work with LibreSSL. All tests were passing -- except for negative
the host name verification tests. LibreSSL was accepting all invalid
host names as correct! Python's vigorous test suite had discovered a
critical security bug in LibreSSL.

It turned out that LibreSSL copied the implementation of
X509_VERIFY_PARAM_set1_host(param, name, namelen) from BoringSSL and the
documentation from OpenSSL. BoringSSL's implementation didn't support
the special case of 0 as namelen parammeter. OpenSSL supports namelen =
0, which is interpreted as namelen=strlen(name). It is documented in
OpenSSL's man page and was even recommended on OpenSSL's wiki as
preferred way.

Happy Ending

So I got in contact with LibreSSL's security team and BoringSSL's
security team [3]. Less than a day later, both libraries released fixes
for the bug [4]. Mitre has assigned CVE-2018-8970 [5] to the bug.
Disaster averted!

BoringSSL's security issue [3] contains more information. Adam Langley
lifted the restriction about an hour ago.

I like to thank Bob Beck (LibreSSL), Adam Langley (Google) and David
Benjamin (Google) for their assistance and cooperation.


[1] https://bugs.python.org/issue31399
[2] https://github.com/libressl-portable/portable/issues/381
[3] https://bugs.chromium.org/p/chromium/issues/detail?id=824799
[4] https://www.libressl.org/releases.html
[5] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8970

More information about the Python-Dev mailing list