Re: [exim] safe handling of $tls_sni

On Monday 17 of October 2016, Phil Pennock wrote:
> On 2016-10-12 at 14:50 +0200, Arkadiusz Miśkiewicz wrote:
> > Docs say that $tls_sni has raw data from client:
> >
> > "Great care should be taken to deal with matters of case, various
> > injection attacks in the string (../ or SQL), and ensuring that a valid
> > filename can always be referenced; it is important to remember that
> > $tls_sni is arbitrary unverified data provided prior to authentication."
>
> Someone read the text I wrote! Woohoo!
>
> (It only took a few years ...)
>
> > What is safest approach to handle $tls_sni when trying
> > to expand it to file on filesystem?
>
> Use a cryptographic hash for the filename.

Sounds smart.

> Or base64-encode it.

"/" is part of base64 alphabet, so would have to replace that with other
character, too.

[...]

> exists{/etc/mail/ssl/${sha1:${lc:tls_sni}}.pem}{/etc/mail/ssl/${sha1:${lc:
> tls_sni}}.pem}{/etc/mail/default-cert.pem}

I wonder how big performance impact will be there on each connection when
using sha1. sha will be calculated even twice for single connection.

I'm guessing no big impact as various hashing is already used in other places
like SMTP AUTH etc.

> -Phil

Thanks,
--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )