[exim-dev] [Bug 1479] hostname check missing when verifying …

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1479] hostname check missing when verifying X509 certificate
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1479




--- Comment #6 from Phil Pennock <pdp@???> 2014-05-18 04:09:38 ---
Yeah, list, not hostlist, I was being a little silly again -- we need to be
able to get one absolute name, rather than a pattern, for canonical name
extraction for later merging with `tls_sni`. So on reflection, providing the
lookup keys from this new option and looking up in the cert, instead of
extracting names from the cert to lookup in a hostlist is correct, so that
LGTM.

There are rules for wildcard name matching in RFC 6125 section 6.4.3 which
beyond your code add support for the `*` not being the only component of a
label. Frankly, that's stupid and adds yet more complexity in an already
overly twisted area, especially since there's no statement around labels with
multiple wildcards in them (`f*b*r`) and handling that quickly leads into DoS
opportunities.

So I'm inclined to have the wildcard support only handle where a complete label
is replaced by `*`, exactly as you have it, but we probably need to document
this as "how Exim handles wildcards in certificates". I'm not aware of a
certificate profile for email, and we haven't been matching before, so unless
Viktor presents compelling argument for doing something else, for consistency
with other checkers, we can simplify the implicit application profile for email
by not supporting that craziness.

Viktor, any strong feelings on wildcards other than whole-label?


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email