On Mon, May 12, 2014 at 08:07:41AM +0100, Roca wrote:
> In the Gnutls implementation (src/tls-gnu.c), hostname check is missing when
> performing the X509 certificate verification, which may cause serious security
> problem that completely break the TLS mechanism.
Actually "the TLS mechanism" in SMTP only protects against passive
monitoring. Given insecure MX resolution, and STARTTLS downgrade
attacks, plus other issues documented at:
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-09#section-1.3
MiTM-resistant TLS security is not possible at scale for SMTP
without DNSSEC + DANE.
Of course on a smaller scale one can in principle configure
secure-channel TLS to selected domains with PKIX verification.
With SMTP this typically requires the ability to explicitly configure
the names to expect in the peer certificate (the MX hostname is
generally not secure) and ideally the specific trust anchors to use.
This is supported by Postfix since version 2.3. In 2.11 I added DANE
to address Internet-scale TLS security with SMTP.
> The function verify_certificate() can only guarantee the validity of the
> certificate but cannot guarantee that the host you are trying to connect is the
> one you intend to visit, which may lead to man-in-the-middle attack or other
> security issues.
With SMTP, often the peer certificate does not contain the MX host's
name, and is generally self-signed or signed by a CA you don't trust,
and in any case the MiTM will attack the DNS or downgrade STARTTLS.
> In fact, hostname checking is critical when using Gnutls.
Yes, for HTTPS, not so much for SMTP, except when building
secure-channels with selected sites.
--
Viktor.
