Re: [exim-dev] [Bug 2594] CNAME handling can break TLS certi…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification
On Mon, Jun 08, 2020 at 12:48:22PM +0000, admin--- via Exim-dev wrote:

> https://bugs.exim.org/show_bug.cgi?id=2594
>
> --- Comment #1 from Jeremy Harris <jgh146exb@???> ---
> Can you locate a standards document specifying the name that should be checked
> against the certificate?


Yes: https://tools.ietf.org/html/rfc6125#appendix-B.4

The original reported is right. Aside from DANE, the correct name to
check in the certificate is the original name, not the (generally
insecure) CNAME expansion.

With DANE SMTP (RFC7672) CNAMEs can *augment* the set of valid names to
check in the certificate, to include the name associated with the TLSA
base domain, which might be a fully-expanded CNAME, provided the
expansion never strayed into a DNSSEC-unsigned zone.

    https://tools.ietf.org/html/rfc7672#section-3.2.2


-- 
    Viktor.