------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1479 Summary: hostname check missing when verifying X509 certificate Product: Exim Version: 4.82 Platform: Other OS/Version: Windows Status: NEW Severity: security Priority: high Component: TLS AssignedTo: p...@exim.org ReportedBy: heboy...@gmail.com CC: exim-dev@exim.org Exim provide SSL/TLS support to encrypt SMTP connections. The SSL/TLS support in Exim is implemented using both OpenSSL and Gnutls. In the Gnutls implementation (src/tls-gnu.c), hostname check is missing when performing the X509 certificate verification, which may cause serious security problem that completely break the TLS mechanism. The function verify_certificate() can only guarantee the validity of the certificate but cannot guarantee that the host you are trying to connect is the one you intend to visit, which may lead to man-in-the-middle attack or other security issues. In fact, hostname checking is critical when using Gnutls. One need to make sure that the certificate is valid for the site that is claiming ownership of it using the API gnutls_x509_crt_check_hostname(). And in the Gnutls newer than 3.1.4, a new API gnutls_certificate_verify_peers3() is introduced, which combine certificate hostname checking together with certificate validity checking, in order to aviod this problem. In addition, I don’t see Exim OpenSSL implementation (src/tls-openssl.c) but it may also have the same problem. For more details, here is a related papers: http://people.stfx.ca/x2011/x2011ucj/SSL/p38-georgiev.pdf Thanks. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##