[exim-dev] [Bug 2594] CNAME handling can break TLS certifica…

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMMViktor Dukhovni at <-
M.Madmin at ->
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 2594] New: CNAME handing can break TLS certificate verification
Subject: [exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification
https://bugs.exim.org/show_bug.cgi?id=2594

Phil Pennock <pdp@???> changed: 

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |pdp@???


--- Comment #5 from Phil Pennock <pdp@???> ---
If DNS is DNSSEC-signed and validated, then the DANE specs for email say to
chase CNAMEs to get the validated name, IIRC.

If DNS is not provably signed, then the only input for verification is the
hostname as entered into configs, or into the mail; DNS is then an _untrusted_
resolution mechanism and intermediate results are not appropriate for use as
identities to be validated as present in certificates.

In TLS, the cert hostname to validate should always, barring exceptional
override, be the same as the hostname sent in SNI.

In the original bug-report here:

"""
Cert hostname to check: "mail.edesix.local"
Setting TLS SNI "mail.dev.edesix.com"
"""

That is clearly an unfortunate combination. The first should use the same
value as the second.

--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] [Bug 2594] New: CNAME handing can break TLS certificate verification[exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)