[Pkg-openssl-devel] Bug#792490: openssl s_client doesn't allow for certificate pinning anymore!
Ben Hutchings
ben at decadent.org.uk
Mon Sep 7 12:00:20 UTC 2015
Control: severity -1 important
Control: tag -1 - security
On Wed, 15 Jul 2015 12:52:24 +0200 Florent Daigniere <
nextgens at freenetproject.org> wrote:
> Package: openssl
> Version: 1.0.2d-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Dear Maintainer,
>
> It looks like openssl s_client is not providing any way to disregard
the system's trusted CAs anymore... and this is a regression from
Jessie.
[...]
openssl s_client doesn't check the certificate's names either, and
never has. It should only be used for debugging, not to make a secure
tunnel. For secure tunnelling see the example in
<https://www.decadent.org.uk/ben/blog/securing-git-imap-send-in-debian.html>
Ben.
--
Ben Hutchings
Kids! Bringing about Armageddon can be dangerous. Do not attempt it in
your own home. - Terry Pratchett and Neil Gaiman, `Good Omens'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20150907/f9c0103c/attachment.sig>
More information about the Pkg-openssl-devel
mailing list