Summary: | CVE-2007-6591: konqueror accepts certificates with subjectAltName:dNSName fields, even though these fields cannot be examined | ||
---|---|---|---|
Product: | [Applications] konqueror | Reporter: | sf |
Component: | general | Assignee: | Konqueror Developers <konq-bugs> |
Status: | RESOLVED WORKSFORME | ||
Severity: | normal | CC: | adawit, ahartmetz, rich, security |
Priority: | NOR | ||
Version: | 3.5 | ||
Target Milestone: | --- | ||
Platform: | unspecified | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: |
Description
sf
2008-01-01 12:02:42 UTC
Completely correct for KDE 3.5.7 But for 4.0.3, after the domain mismatch, https:// pages on the test site given at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6591 Test Case for 4.0.3: 1. go to http://test.eonis.org in konq. Note the alternate domain names listed here; you will be looking for these in the security certificate in the next steps. 2. click on link for [page 2] on the bottom of the page 3. note certificate warning provides no immediate indication of domain mismatch 4. click DETAILS for more information. Notice there is no report of domain mismatch 5. accept certificate (for this session only) 6. click on [page 3] link 7. page 3 will not load (is this a safe guard against phishing or is this a malfunction?) and you will be greeted by this message: An error occurred while loading https://test.eonis.org/: The process for the https://test.eonis.org protocol died unexpectedly. The above test passes just fine for me with KDE 4.7.4. I get the warning message 2x and no error page as stated in comment #1. Please note that the test page seems to be http://test.eonis.net/ and not .org one. The test certificate seems to have multiple different issues. I agree with the fundamental issue that the cert dialog does not show subjectAltNames, that is definitely a bug. We intentionally accept wildcards in subjectAltNames (as do most browsers). We use the same algorithm as NSS for the actual wildcard handling itself. Displaying the SAN information has been possible using QSslSocket for ages, so can be implemented in 4.8.x without too much problem. Displaying other certificate extensions has only become possible in Qt 5 (I recently added it). |