Project

General

Profile

Actions
Copy link

Bug #19033

closed

CVE-2017-2667 - SSL/HTTPS server certificates are not verified by default

Added by Dominic Cleal over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tomáš Strachota
Category:
Hammer core
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/hammer-cli/pull/235, https://github.com/theforeman/hammer-cli-foreman/pull/293
Team Backlog:
Fixed in Releases:
Found in Releases:
In Kanboard:
Red Hat JIRA:

Description

HTTPS connections initiated by Hammer to the API server do not perform validation of the server SSL/TLS certificate, allowing for a man-in-the-middle attack against the user.

#12400 has introduced automatic certificate verification when an SSL CA is explicitly configured, but the default for HTTPS connections remains off. It could be verified against the system CA store.

Reported by Tomas Strachota to .

Related issues 1 (0 open1 closed)

Related to Hammer CLI - Bug #12400: Missing option to enable verification of the server certificate.ClosedRobert Frank11/05/2015Actions
Actions
Copy link

Also available in: Atom PDF