#1745 SSL Connections (https://) do not have their certificate validated

KeePass_2.x
closed
nobody
5
2013-06-30
2013-06-29
greg.webhop
No

When loading, saving or synchronizing with a url using https KeePass fails to validate the certificate. In reviewing the source it appears that this is done intentionally to allow self signed certificates however this greatly weakens the protection of SSL.

I have created a patch (attached) that provides adds an option to Allow Invalid Certificates. This will allow users who connect to servers with invalid certificates to continue to function and allow those (such as myself) who would like the full protection of SSL.

The patch defaults to requiring valid certificates, which I think is appropriate for software that claims high levels of security.

Please let me know if you prefer the patch in a different format.

1 Attachments

Discussion

  • Dominik Reichl

    Dominik Reichl - 2013-06-30
    • status: open --> closed
     
  • Dominik Reichl

    Dominik Reichl - 2013-06-30

    As database files are encrypted, SSL protection is rather irrelevant. KeePass' database security relies on a strong master key used for encryption, not on the security of the storage or the connection to the storage. You can even transfer a database file using unencrypted FTP without any security problems.

    Some people might want to fully use SSL anyway, thus I've now added an option like you suggested. By default, the option is configured to reject invalid SSL certificates.

    Here's the latest development snapshot for testing:
    http://keepass.info/filepool/KeePass_130630.zip

    Moving to closed feature requests.

    Thanks and best regards,
    Dominik

     
  • Dominik Reichl

    Dominik Reichl - 2013-06-30

    Ticket moved from /p/keepass/bugs/1130/

     

Log in to post a comment.