[exim-dev] [Bug 1479] hostname check missing when verifying …

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1479] hostname check missing when verifying X509 certificate
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1479




--- Comment #2 from Phil Pennock <pdp@???> 2014-05-13 21:58:33 ---
Exim is an MTA, there has been no sane approach to determining a hostname
suitable for verification of certificate identity. Note that the normal
handling of TLS failures for SMTP to remote hosts is, in every MTA, to fall
back to clear text delivery without TLS.

The DANE SMTP specification is going through the IETF process now, we've been
involved with that document and we intend to support it with Exim; this lays
down rules about determining the remote hostname, and requires DNSSEC by the
target domain operator and a validating resolver.

The only other use-case to support is to add a "tls_hostname_verify" setting,
or "tls_hostname" used as the default for both verification and for "tls_sni".
Where the administrator has specifically set a hostname to validate, instead of
relying upon insecure DNS, we do have something reasonable to assert.

Patches welcome.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email