[security] Host name/IP not verified against SSL certificates.

Posted Fri, 17 Jan 2014 15:09:19 GMT

Hi all,

I just wanted to make sure everybody is aware of this critical bug in the SSL client implementations (HTTPS, SMTP/TLS, …): https://github.com/rejectedsoftware/vibe.d/issues/469

It results in the connection being vulnerable to man-in-the-middle attacks, as any valid certificate will be accepted by the client code, even if it is not issued for the correct host name/IP.

Best,
David

(As I'm not aware of any production vibe.d deployments where this could be an exploitable issue yet, I chose to immediately publish this. If anybody wants me to follow usual Responsible Disclosure procedures in the future, please let me know, although this should also be documented on vibed.org.)