CVE-2016-10931

Name of the Vulnerable Software and Affected Versions rust-openssl versions prior to 0.9.0

Description The issue is related to SSL/TLS man-in-the-middle attacks due to insecure defaults in the openssl crate for Rust. Specifically, certificate verification is off by default, and there is no API for hostname verification. This could allow an attacker to perform man-in-the-middle attacks unless the developer configures the settings correctly. The problem was addressed in newer versions by enabling certificate verification by default and exposing APIs to perform hostname verification.

Recommendations For versions prior to 0.9.0, update to version 0.9.0 or later to enable certificate verification by default and expose APIs for hostname verification. Use the SslConnector and SslAcceptor types instead of the lower-level SslContext type to take advantage of the new features.