Security Vulnerability: SSL Verification Disabled Leading to Potential MITM Attacks #311
Description
Description:
We have discovered a critical security vulnerability in the HTTP client implementation of this library. The issue lies in the SSL verification process, where SSL certificate verification is disabled, allowing for potential Man-in-the-Middle (MITM) attacks.
Affected Code:
The most critical part of the code is located in BoostHttpOnlySslClient.cpp at line 43:
https://github.com/reo7sp/tgbot-cpp/blob/master/src/net/BoostHttpOnlySslClient.cpp#L43
socket.set_verify_mode(ssl::verify_none);
socket.set_verify_callback(ssl::rfc2818_verification(url.host));
Issue:
The code sets the SSL verification mode to ssl::verify_none, effectively bypassing any SSL certificate verification.
Steps to Reproduce:
- Set Up an SSL Reverse Proxy:
- Install Nginx:
sudo apt update
sudo apt install nginx
- Create a self-signed SSL certificate:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
- Configure Nginx to proxy requests to https://api.telegram.org:
server {
listen 443 ssl;
server_name myproxy.local;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
# Enable SSL protocols and ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass https://api.telegram.org;
# Preserve Host Header
proxy_set_header Host api.telegram.org;
# Proxy headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSL settings for the upstream
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
# Increase proxy buffer size
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
# Timeout settings
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}
server {
listen 80;
server_name myproxy.local;
return 301 https://$host$request_uri;
}
- Edit the hosts file to resolve myproxy.local to 127.0.0.1:
127.0.0.1 myproxy.local
- Restart Nginx:
sudo systemctl restart nginx
- Replace the URL inside the tgbot-cpp from https://api.telegram.org to https://myproxy.local
Expected Behavior:
The HTTP client should verify the SSL certificate and fail the request if the certificate is invalid or not trusted. The client should not connect to the proxy when the SSL certificate verification fails.
Actual Behavior:
The HTTP client connects to the proxy server and accepts the invalid self-signed certificate, demonstrating that SSL certificate verification is not enforced, making it vulnerable to MITM attacks.
Suggested Fix:
To mitigate MITM vulnerabilities, enable SSL certificate verification in the HTTP client library. This can be easily achieved in a cross-platform manner by using the boost-certify library, which simplifies SSL certificate verification with Boost.Beast and Boost.Asio.