[MVLUG] I think this counts as a security flaw....

Michael Simmons msimmons1618 at gmail.com
Wed Sep 5 21:56:03 MDT 2012


Almost instant-classic.

>From comments:

"... Patches are always welcome."

"...The code came out of a Summer of Code project in 2008;..."

-Michael

On Wed, Sep 5, 2012 at 9:44 AM, Joe Pfeiffer <joseph at pfeifferfamily.net> wrote:
> http://developer.pidgin.im/ticket/15308
>
> "SSL support appears to have been written by a lobotomy victim"
>
> One of the relevant code snippets is:
>
>    160 ssl_auth_cert(void *arg, PRFileDesc *socket, PRBool checksig,
>    161                    PRBool is_server)
>    162 {
>    163  return SECSuccess;
>    164
>    165 #if 0
>    166  CERTCertificate *cert;
>    167  void *pinArg;
>    168  SECStatus status;
>    169
>    170  cert = SSL_PeerCertificate(socket);
>    171  pinArg = SSL_RevealPinArg(socket);
>    172
>    173  status = CERT_VerifyCertNow((CERTCertDBHandle *)arg, cert, checksig,
>    174                                                          certUsageSSLClient, pinArg);
>    175
>    176  if (status != SECSuccess) {
>    177          purple_debug_error("nss", "CERT_VerifyCertNow failed\n");
>    178          CERT_DestroyCertificate(cert);
>    179          return status;
>    180  }
>    181
>    182  CERT_DestroyCertificate(cert);
>    183  return SECSuccess;
>    184 #endif
>    185 }
>    186
>
> --
> Joseph J. Pfeiffer, Jr., Ph.D.                 http://pfeifferfamily.net/
> 1440 Tierra del Sol Dr                         575.525.2764 (H)
> Las Cruces, NM 88007                           575.496.3501 (C)
> _______________________________________________
> MVLUG mailing list
> MVLUG at mvlug.org
> http://lists.mvlug.org/mailman/listinfo/mvlug


More information about the MVLUG mailing list