VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 26, 2019· Updated Aug 6, 2024

CVE-2016-10932

CVE-2016-10932

Description

An issue was discovered in the hyper crate before 0.9.4 for Rust on Windows. There is an HTTPS man-in-the-middle vulnerability because hostname verification was omitted.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Hyper crate before 0.9.4 for Rust on Windows lacked hostname verification, enabling HTTPS man-in-the-middle attacks.

Vulnerability

Overview

CVE-2016-10932 is a vulnerability in the hyper crate for Rust, specifically affecting versions prior to 0.9.4 when used on Windows. The root cause is the omission of hostname verification during TLS/SSL connections, which means that the client does not validate that the server certificate's hostname matches the intended target hostname. This flaw was introduced because the default OpensslClient used SSL_VERIFY_NONE and did not set up certificate verification callbacks to check the hostname [1][4].

Attack

Vector and Exploitation

The vulnerability is exploitable over the network with high attack complexity. No authentication or user interaction is required. An attacker in a position to perform a man-in-the-middle attack (e.g., on the same network, or via malicious DNS or router) can present a valid TLS certificate for a different but trusted domain. Without hostname verification, the hyper client will accept the certificate and establish an HTTPS connection, allowing the attacker to intercept, read, or modify traffic intended for the legitimate server [1][2].

Impact

Successful exploitation results in low confidentiality and low integrity impact. The attacker gains the ability to eavesdrop on encrypted communications and inject or modify data in transit. Since the connection appears to be valid HTTPS, the client may display or transmit sensitive data to the attacker, potentially leading to credential theft or data manipulation. The vulnerability does not affect availability [1].

Mitigation

The issue was fixed in hyper version 0.9.4, released on May 9, 2016. The fix added hostname verification by default for the OpenSSL backend, including setting the SSL_VERIFY_PEER flag and a verify callback that checks the server hostname against the certificate [3][4]. Users should update the hyper crate to at least 0.9.4. No workaround is mentioned. This vulnerability is also tracked under RustSec advisory RUSTSEC-2016-0002 [1].

References
  1. HTTPS MitM vulnerability due to lack of hostname verification › RustSec Advisory Database
  2. NVD - CVE-2016-10932
  3. hyper/CHANGELOG.md at master · hyperium/hyper
  4. feat(ssl): enable hostname verification by default for OpenSSL · hyperium/hyper@01160ab

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
hypercrates.io
< 0.9.40.9.4

Affected products

2

Patches

1
01160abd9295

feat(ssl): enable hostname verification by default for OpenSSL

https://github.com/hyperium/hyperSean McArthurMay 8, 2016via ghsa
commit
3 files changed · +15 8
  • Cargo.toml+5 1 modified
    @@ -32,6 +32,10 @@ default-features = false
 version = "0.7"
 optional = true
 
+[dependencies.openssl-verify]
+version = "0.1"
+optional = true
+
 [dependencies.security-framework]
 version = "0.1.4"
 optional = true
@@ -49,6 +53,6 @@ env_logger = "0.3"
 
 [features]
 default = ["ssl"]
-ssl = ["openssl", "cookie/secure"]
+ssl = ["openssl", "openssl-verify", "cookie/secure"]
 serde-serialization = ["serde", "mime/serde"]
 nightly = []
  • src/lib.rs+2 0 modified
    @@ -133,6 +133,8 @@ extern crate time;
 #[macro_use] extern crate url;
 #[cfg(feature = "openssl")]
 extern crate openssl;
+#[cfg(feature = "openssl-verify")]
+extern crate openssl_verify;
 #[cfg(feature = "security-framework")]
 extern crate security_framework;
 #[cfg(feature = "serde-serialization")]
  • src/net.rs+8 7 modified
    @@ -619,7 +619,7 @@ mod openssl {
     use std::sync::Arc;
     use std::time::Duration;
 
-    use openssl::ssl::{Ssl, SslContext, SslStream, SslMethod, SSL_VERIFY_NONE};
+    use openssl::ssl::{Ssl, SslContext, SslStream, SslMethod, SSL_VERIFY_NONE, SSL_VERIFY_PEER, SSL_OP_NO_SSLV2, SSL_OP_NO_SSLV3};
     use openssl::ssl::error::StreamError as SslIoError;
     use openssl::ssl::error::SslError;
     use openssl::x509::X509FileType;
@@ -651,11 +651,10 @@ mod openssl {
 
     impl Default for OpensslClient {
         fn default() -> OpensslClient {
-            OpensslClient(SslContext::new(SslMethod::Sslv23).unwrap_or_else(|e| {
-                // if we cannot create a SslContext, that's because of a
-                // serious problem. just crash.
-                panic!("{}", e)
-            }))
+            let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
+            ctx.set_default_verify_paths().unwrap();
+            ctx.set_options(SSL_OP_NO_SSLV2 | SSL_OP_NO_SSLV3);
+            OpensslClient(ctx)
         }
     }
 
@@ -664,8 +663,10 @@ mod openssl {
         type Stream = SslStream<T>;
 
         fn wrap_client(&self, stream: T, host: &str) -> ::Result<Self::Stream> {
-            let ssl = try!(Ssl::new(&self.0));
+            let mut ssl = try!(Ssl::new(&self.0));
             try!(ssl.set_hostname(host));
+            let host = host.to_owned();
+            ssl.set_verify_callback(SSL_VERIFY_PEER, move |p, x| ::openssl_verify::verify_callback(&host, p, x));
             SslStream::connect(ssl, stream).map_err(From::from)
         }
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.