[exim-dev] [Bug 1479] New: hostname check missing when verif…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Roca
Dátum:  
Címzett: exim-dev
Tárgy: [exim-dev] [Bug 1479] New: hostname check missing when verifying X509 certificate
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1479
           Summary: hostname check missing when verifying X509 certificate
           Product: Exim
           Version: 4.82
          Platform: Other
        OS/Version: Windows
            Status: NEW
          Severity: security
          Priority: high
         Component: TLS
        AssignedTo: pdp@???
        ReportedBy: heboyuan@???
                CC: exim-dev@???



Exim provide SSL/TLS support to encrypt SMTP connections.
The SSL/TLS support in Exim is implemented using both OpenSSL and Gnutls.

In the Gnutls implementation (src/tls-gnu.c), hostname check is missing when
performing the X509 certificate verification, which may cause serious security
problem that completely break the TLS mechanism.

The function verify_certificate() can only guarantee the validity of the
certificate but cannot guarantee that the host you are trying to connect is the
one you intend to visit, which may lead to man-in-the-middle attack or other
security issues.

In fact, hostname checking is critical when using Gnutls. One need to make sure
that the certificate is valid for the site that is claiming ownership of it
using the API gnutls_x509_crt_check_hostname(). And in the Gnutls newer than
3.1.4, a new API gnutls_certificate_verify_peers3() is introduced, which
combine certificate hostname checking together with certificate validity
checking, in order to aviod this problem.

In addition, I don’t see Exim OpenSSL implementation (src/tls-openssl.c) but
it may also have the same problem.

For more details, here is a related papers:
http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf

Thanks.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email