[exim-dev] [Bug 2594] CNAME handling can break TLS certifica…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 2594] New: CNAME handing can break TLS certificate verification
Subject: [exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification
https://bugs.exim.org/show_bug.cgi?id=2594

--- Comment #2 from Chris Paulson-Ellis <chris@???> ---
I thought you might ask that :-)

I don't think this specific issue is explicitly addressed in either the SMTP,
TLS or HTTPS RFCs. HTTPS is quite clear that the name being tested comes from
the URI, but doesn't go into specifics.

I'm not surprised by this - the resolution of names to IP addresses belongs to
a different layer - the DNS resolver - and the DNS RFCs talk about how to
obtain an IP address, not about what you might otherwise do with the data
obtained along the way.

However, the current exim behaviour is clearly inconsistent with what web
browsers actually do. If an HTTPS server returns a certificate for the CNAME
rather than the original FQDN in the URI, then the browser will fail the
verification.

--
You are receiving this mail because:
You are on the CC list for the bug.