luasec icon indicating copy to clipboard operation
luasec copied to clipboard

Published 20 hours ago verified publisher icon lunarmodules

document or implement lack of hostname verification

Open johannesboon opened this issue 4 years ago • 1 comments

Luasec, although the name suggests otherwise seems not very secure by default as it will gladly accept server certificates with any hostname.

Please consider this ancient paper:

The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software

And maybe start using the (in OpenSSL 1.1 introduced) function X509_VERIFY_PARAM_set1_host to verify the hostnames from Subject Alternative Name. Although there are some functions available also since in OpenSSL 1.0.2, see: OpenSSL website Wiki for Hostname Validation

Or at least document the limitations of the current verification and the implications they might have.

Or maybe something based on this pull request:

https://github.com/brunoos/luasec/pull/49/

johannesboon avatar May 20 '20 11:05 johannesboon

What's the situation with this? Are clients using luasec expected to do their own hostname verification?

ziz57 avatar Jun 15 '24 11:06 ziz57