Re: [exim-dev] [Bug 1479] hostname check missing when verify…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1479] hostname check missing when verifying X509 certificate
On Fri, May 16, 2014 at 12:17:33AM +0100, Jeremy Harris wrote:

> Created an attachment (id=728)
> --> (http://bugs.exim.org/attachment.cgi?id=728)
> prototype patch


You SHOULD NOT join all the altName values with newlines, and then
split that to recover the altnames. Hostile certificates might
contain embedded newlines in the subjectAltName. I doubt that all
CA's check this (just like they allowed embeded NULs in the
subject name or altName).

ASN.1 strings can contain NUL octets, and are not C strings. This
implementation leaves the potential problem unchecked.

Later, for DANE, you'll need to allow multiple names any one of
which might match the peer certificate. You also should probably
support wildcards "*.example.com".

See http://www.postfix.org/postconf.5.html#smtp_tls_secure_cert_match

So this feature probably should support multiple names from the
outset. Especially because some MX hosts have certificates that
match the next-hop domain (LHS of MX lookup), and others the MX
hostname or something else entirely.

-- 
    Viktor.