[Bug 574921] Broken TLS server certificate validation in Eclipse ioFog agent
Bugzilla Link | 574921 |
Status | NEW |
Importance | P3 normal |
Reported | Jul 19, 2021 23:18 EDT |
Modified | Oct 21, 2021 15:51 EDT |
Description
From the security inbox:
--
To me it looks like as if the ioFog agent fails to properly validate server side TLS certificates:
This is present in ioFog 2.0, but the same code is also part of the most recent development branch.
To my understanding of the code, the validator only checks if the server presents at least one certificate which is signed by the trust anchor. However, this can basically be any certificate.
Additionally, timestamps and hostnames not checked.