hcashd icon indicating copy to clipboard operation
hcashd copied to clipboard

Published 20 hours ago verified publisher icon HcashOrg

httpclient skips cert check for TLS

Open blockauditech opened this issue 6 years ago • 0 comments

cmd/hcashctl/httpclient.go

// Configure TLS if needed.
[.............]
		pool := x509.NewCertPool()
		if ok := pool.AppendCertsFromPEM(pem); !ok {
			return nil, fmt.Errorf("invalid certificate file: %v",
				cfg.RPCCert)
		}
		tlsConfig = &tls.Config{
			RootCAs:            pool,
			InsecureSkipVerify: cfg.TLSSkipVerify, // HERE
		}
	}

This opens up MITM attacks as the certificate is not checked. If you all choose to accept this risk, or fix it using a proper certificate, it at least should be noted in the comments of the code or documentation.

// InsecureSkipVerify controls whether a client verifies the
// server's certificate chain and host name.
// If InsecureSkipVerify is true, TLS accepts any certificate
// presented by the server and any host name in that certificate.
// In this mode, TLS is susceptible to man-in-the-middle attacks.
// This should be used only for testing.
InsecureSkipVerify bool

References: https://golang.org/pkg/crypto/tls/ https://info.checkmarx.com/hubfs/GOwhitepaper0504.pdf

blockauditech avatar May 02 '18 22:05 blockauditech