ziz57
commented
3 months ago What's the situation with this? Are clients using luasec expected to do their own hostname verification?
Open johannesboon opened 4 years ago
ziz57
commented
3 months ago What's the situation with this? Are clients using luasec expected to do their own hostname verification?
Luasec, although the name suggests otherwise seems not very secure by default as it will gladly accept server certificates with any hostname.
Please consider this ancient paper:
The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software
And maybe start using the (in OpenSSL 1.1 introduced) function X509_VERIFY_PARAM_set1_host to verify the hostnames from Subject Alternative Name. Although there are some functions available also since in OpenSSL 1.0.2, see: OpenSSL website Wiki for Hostname Validation
Or at least document the limitations of the current verification and the implications they might have.
Or maybe something based on this pull request:
https://github.com/brunoos/luasec/pull/49/