One of the most common issues with TLS client applications is that they don't
perform hostname verification or do it incorrectly (ignore SANs, handle
wildcards incorrectly). As a result, often they will accept any certificate
signed by any trusted CA. Given that acquiring a certificates can be
completely free (even an email certificate will work), it's trivial to MitM
such appplications.
I'd like to extend rpmlint to perform rudimentary checks to see if that
happens[1].
A draft of the proposal to FPC is here:
https://fedoraproject.org/wiki/User:Hkario/HostnameChecks
Suggestions?
1 - the check would be just "if call to A is present, check if call to B is
present", the way setgid, setuid, setgroups is done, just generalised
--
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Web:
www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic