Bug 3647

Summary: add support for Subject Alternate Name (SAN)
Product: Claws Mail (GTK 2) Reporter: Pd <claws-mail>
Component: OtherAssignee: users
Status: RESOLVED WORKSFORME    
Severity: enhancement    
Priority: P3    
Version: 3.13.2   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Screenshot none

Description Pd 2016-05-17 19:36:17 UTC 
Our mail is handled by a cluster of servers behind a load balancer.  The SSL certificates have the name of the server and also the name of the load balancer as a Server Alternate Name (SAN).  

Because of these things, every time I send an email, I get an error saying that the cert is invalid (hostname != server name) and would I like to save it for next time.

Can you fix it so that CM checks the SAN and allows connections if the server name is on the SAN list?

Also, how do I load our company's CA on the list of trusted CAs?  I couldn't find this in any menu or preference setting.

Thanks
Comment 1 Pd 2016-05-17 19:37:23 UTC 
Created attachment 1647 [details]
Screenshot
Comment 2 Andrej Kacian 2016-05-18 18:42:37 UTC 
We already check Subject Alternate Names. Function gnutls_x509_crt_check_hostname() is used, which does that implicitly.

I just tested a connection against a server which uses a different Subject CN, and a few SANs, and it worked just fine, server name matching one of the SANs.

You can load your CA to your system's CA list (/etc/ssl for most Linux distributions).