[MVLUG] I think this counts as a security flaw....

Joe Pfeiffer joseph at pfeifferfamily.net
Wed Sep 5 09:44:24 MDT 2012


http://developer.pidgin.im/ticket/15308

"SSL support appears to have been written by a lobotomy victim"

One of the relevant code snippets is:

   160 ssl_auth_cert(void *arg, PRFileDesc *socket, PRBool checksig,
   161 			  PRBool is_server)
   162 {
   163 	return SECSuccess;
   164 
   165 #if 0
   166 	CERTCertificate *cert;
   167 	void *pinArg;
   168 	SECStatus status;
   169 
   170 	cert = SSL_PeerCertificate(socket);
   171 	pinArg = SSL_RevealPinArg(socket);
   172 
   173 	status = CERT_VerifyCertNow((CERTCertDBHandle *)arg, cert, checksig,
   174 								certUsageSSLClient, pinArg);
   175 
   176 	if (status != SECSuccess) {
   177 		purple_debug_error("nss", "CERT_VerifyCertNow failed\n");
   178 		CERT_DestroyCertificate(cert);
   179 		return status;
   180 	}
   181 
   182 	CERT_DestroyCertificate(cert);
   183 	return SECSuccess;
   184 #endif
   185 }
   186

-- 
Joseph J. Pfeiffer, Jr., Ph.D.                 http://pfeifferfamily.net/
1440 Tierra del Sol Dr                         575.525.2764 (H)
Las Cruces, NM 88007                           575.496.3501 (C)


More information about the MVLUG mailing list