Created attachment 807 [details] Inbound mail config As you can see in the attachments, I: - configured my instances of claws-mail with the incoming IMAP server mail.puttynuts.com - Went to view my inbox/build the folder tree - Received a warning about the SSL cert being invalid, referencing the name 'mx01.puttynuts.com' which appears nowhere in the inbound server configuration. It would appear that claws-mail is seeing that mail.puttynuts.com is a CNAME for mx01.puttynuts.com. It is then checking the SSL certificate against that name instead of the one specified in the configuration. This does not seem to be a desirable behavior.
Created attachment 808 [details] SSL Certificate validation error Note that the SSL certificate is valid for the name mail.puttynuts.com, it is not self-signed and works fine in other applications.
Note that this is a serious security vulnerability. An evil attacker need only attack DNS and they can make “mail-server.good-organization.org” be a CNAME for “mail-server.evil-organization.org” and you're screwed, because the attacker can perfectly legitimately obtain a certificate for “evil-organization.org” (they own the domain).
I ran into this bug too. Sorry to bug you about it, but is this intended to be fixed? It seems to me that the certificate verification should pertain to the host exactly as specified by the user. I had a look at the source, and I see lots of code in src/common/ssl_certificate.c that handles FQDNs. What is the intent of this? I was going to try to make a patch, but there's too much for me to strip out without knowing the rationale. Thanks, Corey
Certificate verification *should* pertain to the hostname specified by the user, because certificate verification is about intent: it's about verifying that the machine you connected to is the machine you intended to connect to, and the hostname entered by the user is the only guaranteed-correct expression of that intent.
Yeah, back a few years, I thought it would be a good idea to use FQDN to display the mail server's name. At this time, there was no automatic acceptance of certificates so that was just a display thing. I'll remove that.
Changes related to this bug have been committed. Please check latest CVS and update the bug accordingly. You can also get the patch from: http://www.colino.net/claws-mail/ 2011-08-30 [colin] 3.7.10cvs8 * src/ssl_manager.c * src/common/ssl.c * src/common/ssl_certificate.c * src/common/ssl_certificate.h * src/etpan/imap-thread.c * src/etpan/nntp-thread.c Fix bug #2127, "SSL cert check uses canonical name instead of specified name"
Thank you for the fix, I can confirm that it works. Now I'm having trouble with bug 2199, though. http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2199 Thanks, Corey