Bug 2127 - SSL cert check uses canonical name instead of specified name
Summary: SSL cert check uses canonical name instead of specified name
Status: RESOLVED FIXED
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: Folders/IMAP (show other bugs)
Version: 3.7.5
Hardware: PC Linux
: P3 major
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2010-02-24 08:54 UTC by Ryan Rawdon
Modified: 2012-09-12 12:11 UTC (History)
3 users (show)

See Also:

Attachments
Inbound mail config (80.55 KB, image/png)
2010-02-24 08:54 UTC, Ryan Rawdon 		no flags Details
SSL Certificate validation error (76.04 KB, image/png)
2010-02-24 08:55 UTC, Ryan Rawdon 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Description Ryan Rawdon 2010-02-24 08:54:12 UTC 
Created attachment 807 [details]
Inbound mail config

As you can see in the attachments, I:

- configured my instances of claws-mail with the incoming IMAP server mail.puttynuts.com
- Went to view my inbox/build the folder tree
- Received a warning about the SSL cert being invalid, referencing the name 'mx01.puttynuts.com' which appears nowhere in the inbound server configuration.

It would appear that claws-mail is seeing that mail.puttynuts.com is a CNAME for mx01.puttynuts.com.  It is then checking the SSL certificate against that name instead of the one specified in the configuration.  This does not seem to be a desirable behavior.
Comment 1 Ryan Rawdon 2010-02-24 08:55:09 UTC 
Created attachment 808 [details]
SSL Certificate validation error

Note that the SSL certificate is valid for the name mail.puttynuts.com, it is not self-signed and works fine in other applications.
Comment 2 Christopher Head 2011-03-27 20:50:08 UTC 
Note that this is a serious security vulnerability. An evil attacker need only attack DNS and they can make “mail-server.good-organization.org” be a CNAME for “mail-server.evil-organization.org” and you're screwed, because the attacker can perfectly legitimately obtain a certificate for “evil-organization.org” (they own the domain).
Comment 3 Corey Hickey 2011-08-28 09:53:51 UTC 
I ran into this bug too. Sorry to bug you about it, but is this intended to be fixed?

It seems to me that the certificate verification should pertain to the host exactly as specified by the user.

I had a look at the source, and I see lots of code in src/common/ssl_certificate.c that handles FQDNs. What is the intent of this? I was going to try to make a patch, but there's too much for me to strip out without knowing the rationale.

Thanks,
Corey
Comment 4 Christopher Head 2011-08-30 03:16:35 UTC 
Certificate verification *should* pertain to the hostname specified by the user, because certificate verification is about intent: it's about verifying that the machine you connected to is the machine you intended to connect to, and the hostname entered by the user is the only guaranteed-correct expression of that intent.
Comment 5 Colin Leroy 2011-08-30 08:06:13 UTC 
Yeah, back a few years, I thought it would be a good idea to use FQDN to display the mail server's name. At this time, there was no automatic acceptance of certificates so that was just a display thing.

I'll remove that.
Comment 6 users 2011-08-30 08:20:20 UTC 
Changes related to this bug have been committed.
Please check latest CVS and update the bug accordingly.
You can also get the patch from:
http://www.colino.net/claws-mail/

2011-08-30 [colin]	3.7.10cvs8

	* src/ssl_manager.c
	* src/common/ssl.c
	* src/common/ssl_certificate.c
	* src/common/ssl_certificate.h
	* src/etpan/imap-thread.c
	* src/etpan/nntp-thread.c
		Fix bug #2127, "SSL cert check uses canonical name instead of
		specified name"
Comment 7 Corey Hickey 2011-08-30 09:34:24 UTC 
Thank you for the fix, I can confirm that it works. Now I'm having trouble with bug 2199, though.

http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2199

Thanks,
Corey
Note You need to log in before you can comment on or make changes to this bug.