[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Mutt: failure to check server certificate in SMTP TLS connection

To: Honza Horak <hhorak@xxxxxxxxxx>
Subject: Re: [Full-disclosure] Mutt: failure to check server certificate in SMTP TLS connection
From: dave b <db.pub.mail@xxxxxxxxx>
Date: Wed, 23 Mar 2011 00:40:06 +1100

> Hi,
>
> I've tested this behaviour using both - gnutls and openssl - and it seems
> like the only difference is that there is an error printed using openssl:
> "Certificate host check failed: certificate owner does not match hostname
> imap.myhost.web".
>
> In both cases a user can accept the certificate, but there is no warning
> about certificate's hostname mishmash using gnutls, which is a
> vulnerability.
>
> I just wanted to sum up the issue, do I understand it correctly?
>

Yes and no. The thing is with gnutls if the certificate is valid for
another host - like I had in my test example then gnutls will not show
the error and will continue as if there is no error.
Obviously if the host has a certificate that is not 'valid' (e.g. self
signed) mutt will
prompt and ask for you to accept it first .

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Mutt: failure to check server certificate in SMTP TLS connection
  - From: Honza Horak

Prev by Date: Re: [Full-disclosure] Gmail and China's GFW
Next by Date: [Full-disclosure] NSOADV-2011-001: Symantec LiveUpdate Administrator CSRF vulnerability
Previous by thread: Re: [Full-disclosure] Mutt: failure to check server certificate in SMTP TLS connection
Next by thread: [Full-disclosure] NSOADV-2011-001: Symantec LiveUpdate Administrator CSRF vulnerability
Index(es):
- Date
- Thread