------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1479
Summary: hostname check missing when verifying X509 certificate
Product: Exim
Version: 4.82
Platform: Other
OS/Version: Windows
Status: NEW
Severity: security
Priority: high
Component: TLS
AssignedTo: pdp@???
ReportedBy: heboyuan@???
CC: exim-dev@???
Exim provide SSL/TLS support to encrypt SMTP connections.
The SSL/TLS support in Exim is implemented using both OpenSSL and Gnutls.
In the Gnutls implementation (src/tls-gnu.c), hostname check is missing when
performing the X509 certificate verification, which may cause serious security
problem that completely break the TLS mechanism.
The function verify_certificate() can only guarantee the validity of the
certificate but cannot guarantee that the host you are trying to connect is the
one you intend to visit, which may lead to man-in-the-middle attack or other
security issues.
In fact, hostname checking is critical when using Gnutls. One need to make sure
that the certificate is valid for the site that is claiming ownership of it
using the API gnutls_x509_crt_check_hostname(). And in the Gnutls newer than
3.1.4, a new API gnutls_certificate_verify_peers3() is introduced, which
combine certificate hostname checking together with certificate validity
checking, in order to aviod this problem.
In addition, I don’t see Exim OpenSSL implementation (src/tls-openssl.c) but
it may also have the same problem.
For more details, here is a related papers:
http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf
Thanks.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email