[Dev] IMAP and SMTP over SSL secure - finally
RL 'Bob' Morgan
rlmorgan at washington.edu
Fri Feb 11 12:29:43 PST 2005
Heikki Toivonen wrote:
> I just enabled the final piece in the SSL support for IMAP and SSL. We
> now check the X.509 certificate that was returned by the server and make
> sure that the host it was issued to is the same host we connected to.
Just to make sure: the name that your client should be comparing with
(ie, the one it has, as opposed to one of the names it finds in the
cert) is the name "as entered by the user" or otherwise obtained by the
client in the context of "the hostname of the site the user wants to
connect to". You shouldn't be doing anything like following
DNS-provided CNAME chains to come up with the name.
Also, in terms of what's in the cert, it's important to provide support
for getting the name from the subjectAltName field as well as the more
usual (but unfortunately entirely bogus from a spec point of view)
CN-in-the-Subject-DN. Also worth noting that behavior is undefined if
there happens to be more than one CN RDN in the Subject DN; probably the
right thing to do is to check against the last one in the sequence.
> The actual check is stricter than is actually specified in the RFC. I
> will change it to confirm to the spec, but I would also be interested in
> finding out if there actually are any certificates out there that would
> not pass the current check. Specifically, the current checks are
> stricter because: 1) they are case sensitive, 2) they don't allow
> certificates specified for multiple hosts. I don't really like how I
> implemented this whole validation step so I will redo a part of it anyway.
I would avoid doing a case-sensitive check, it can only lead to
mysterious problems. That said, I have no idea how IDN affects this
practice, I'm sure the right thing in the long run is to do an
octet-string match, but in the meantime I don't think we want to have to
figure out failure cases where the user entered "Foo.Bar.Edu" as the
hostname for some reason.
But what I really want to write about is the multiple host thing.
Unfortunately wildcard behavior is also not well-standardized, but it is
also common practice. At our site we depend on the ability to tell
users to configure their clients to go to
<username>.mailserver.washington.edu, have DNS resolve to the address of
their mailserver, have all the servers use a *.mailserver.washington.edu
cert, and have clients accept that as matching their user-entered
service name. As far as I know this works with all IMAP clients we've
tried (some of which has required complaints to vendors in the past).
I suspect that code varies a lot on exactly which wildcard forms are
supported ( *.foo.bar.com, *foo.bar.com, *.*.bar.com, etc), and I don't
believe there's a single written-down spec to follow, but I believe that
at least the *.foo.bar.com style is widely supported and widely used.
- RL "Bob"
More information about the Dev