[exim-dev] [Bug 2594] CNAME handling can break TLS certifica…

Top Pagina
Delete this message
Reply to this message
Auteur: admin
Datum:  
Aan: exim-dev
Oude Onderwerpen: [exim-dev] [Bug 2594] New: CNAME handing can break TLS certificate verification
Onderwerp: [exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification
https://bugs.exim.org/show_bug.cgi?id=2594

--- Comment #2 from Chris Paulson-Ellis <chris@???> ---
I thought you might ask that :-)

I don't think this specific issue is explicitly addressed in either the SMTP,
TLS or HTTPS RFCs. HTTPS is quite clear that the name being tested comes from
the URI, but doesn't go into specifics.

I'm not surprised by this - the resolution of names to IP addresses belongs to
a different layer - the DNS resolver - and the DNS RFCs talk about how to
obtain an IP address, not about what you might otherwise do with the data
obtained along the way.

However, the current exim behaviour is clearly inconsistent with what web
browsers actually do. If an HTTPS server returns a certificate for the CNAME
rather than the original FQDN in the URI, then the browser will fail the
verification.

--
You are receiving this mail because:
You are on the CC list for the bug.