Re: [exim-dev] [Bug 2594] CNAME handling can break TLS certi…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 2594] CNAME handling can break TLS certificate verification
On 08/06/2020 14:51, Viktor Dukhovni via Exim-dev wrote:
> On Mon, Jun 08, 2020 at 12:48:22PM +0000, admin--- via Exim-dev wrote:
>
>> https://bugs.exim.org/show_bug.cgi?id=2594
>>
>> --- Comment #1 from Jeremy Harris <jgh146exb@???> ---
>> Can you locate a standards document specifying the name that should be checked
>> against the certificate?
>
> Yes: https://tools.ietf.org/html/rfc6125#appendix-B.4
>
> The original reported is right.


No, it's worse. If you take that RFC 3207 wording strictly:

  -  A SMTP client would probably only want to authenticate an SMTP
      server whose server certificate has a domain name that is the
      domain name that the client thought it was connecting to.


it could mean the domain part of the recipient email address,
pre-MX-lookup. Thanks to the word "domain".

Or it could mean that, again, but only when there is no MX record
and an A / AAAA is being used... but pre-CNAME.

Or it could mean post-CNAME, because that "client" SMTP agent surely
thought it was connecting to a name that A/AAAA resolved to the IP for
the connect() syscall.


It really is not well specified.

--
Cheers,
Jeremy