3647 – add support for Subject Alternate Name (SAN)

Bug 3647 - add support for Subject Alternate Name (SAN)

Summary: add support for Subject Alternate Name (SAN)

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Claws Mail (GTK 2)
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	3.13.2
Hardware:	PC Linux

Importance:	P3 enhancement
Assignee:	users

URL:

Depends on:
Blocks:

Reported:	2016-05-17 19:36 UTC by Pd
Modified:	2016-05-18 18:42 UTC (History)
CC List:	0 users

See Also:

Attachments
Screenshot (42.22 KB, image/png) 2016-05-17 19:37 UTC, Pd	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Description Pd 2016-05-17 19:36:17 UTC

Our mail is handled by a cluster of servers behind a load balancer.  The SSL certificates have the name of the server and also the name of the load balancer as a Server Alternate Name (SAN).  

Because of these things, every time I send an email, I get an error saying that the cert is invalid (hostname != server name) and would I like to save it for next time.

Can you fix it so that CM checks the SAN and allows connections if the server name is on the SAN list?

Also, how do I load our company's CA on the list of trusted CAs?  I couldn't find this in any menu or preference setting.

Thanks

Comment 1 Pd 2016-05-17 19:37:23 UTC

Created attachment 1647 [details]
Screenshot

Comment 2 Andrej Kacian 2016-05-18 18:42:37 UTC

We already check Subject Alternate Names. Function gnutls_x509_crt_check_hostname() is used, which does that implicitly.

I just tested a connection against a server which uses a different Subject CN, and a few SANs, and it worked just fine, server name matching one of the SANs.

You can load your CA to your system's CA list (/etc/ssl for most Linux distributions).

Note You need to log in before you can comment on or make changes to this bug.