fetchmail-friends
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[fetchmail] [Roland Stigge] Bug#201113: fetchmail is missing a check for Subject Alternative Name (TLS cert.)

2003-08-06 16:33:12
from [Benjamin Drieu] [Permanent Link] 

Hi friends,

here is a patch from a Debian user that adds a check for Subject
Alternative Name for TLS.
--- Begin Message --- 
Package: fetchmail
Version: 6.2.2-3.1
Severity: normal
Tags: upstream patch

Hi,

the administrators of my "ISP" changed the CommonName of the mail
server's certificate. Since then, I get the following warnings when
fetching my mail:


=====
fetchmail: Server CommonName mismatch: 
(sigma|sigma2|mailslv1).informatik.hu-berlin.de !=
sigma.informatik.hu-berlin.de
fetchmail: Server CommonName mismatch:
(sigma|sigma2|mailslv1).informatik.hu-berlin.de !=
sigma.informatik.hu-berlin.de
fetchmail: Server CommonName mismatch:
(sigma|sigma2|mailslv1).informatik.hu-berlin.de !=
sigma.informatik.hu-berlin.de
=====


After that, the program proceeds fine, but I get annoying warning mails
generated because of this stderr messages. I asked them about this crazy
Server Name ("(sigma|sigma2|mailslv1).informatik.hu-berlin.de") and they
said that this way, they support old Netscape versions which interpret
the CommonName as RegExp, and that after RFC 2818, the "Subject
Alternative Name" should be checked _before_ the CommonName. (In my
opinion, RFC 2595 is more appropriate, but basically means the same.)

They said that I would first have to check the Subject Alternative Name
to eliminate this problem. OK, I prepared a small patch for fetchmail
(see Attachment). Unfortunately, it uses x509v3.h instead of x509.h
(well - possibly needed anyway someday), but works quite well. :)

What do you think? In the case that you are sure that this one shouldn't
go into fetchmail, please help me to convince our admins not to use
CommonNames like the aforementioned. But then, you should also explain
why to ignore the corresponding RFCs. :-)

Thanks!

bye,
  Roland

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux atari 2.4.20 #1 Fri Apr 4 11:15:24 CEST 2003 i686
Locale: LANG=en_IE(_at_)euro, LC_CTYPE=en_IE(_at_)euro

Versions of packages fetchmail depends on:
ii  adduser                       3.50       Add and remove users and groups
ii  base-files                    3.0.8      Debian base system miscellaneous f
ii  debconf                       1.2.42     Debian configuration management sy
ii  debianutils                   2.5.4      Miscellaneous utilities specific t
ii  libc6                         2.3.1-17   GNU C Library: Shared libraries an
ii  libssl0.9.7                   0.9.7b-2   SSL shared libraries

-- debconf information excluded

Attachment: fetchmail-6.2.2subjectAltName.patch
Description: Text Data

Attachment: pgp3jlHyo4tLe.pgp
Description: PGP signature


--- End Message ---


Cheers,
Benjamin

-- 
  .''`.
 ; ;' ;      Debian GNU/Linux     |   Benjamin Drieu
 `. `'    http://www.debian.org/  |  <benj(_at_)debian(_dot_)org>
   `-
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [fetchmail] [Roland Stigge] Bug#201113: fetchmail is missing a check for Subject Alternative Name (TLS cert.), Benjamin Drieu <=
Previous by Date:  Re: [fetchmail] [PATCH] Debian bug #156592 again + update, Benjamin Drieu
Next by Date:  Re: [fetchmail] Re: The 6.2.3 release of fetchmail is available, Eric S. Raymond
Previous by Thread:  Re: [fetchmail] [BUG] plural form needed for translations, Eric S. Raymond
Next by Thread:  Re: [fetchmail] Re: The 6.2.3 release of fetchmail is available, Eric S. Raymond
Indexes:  [Date] [Thread] [Top] [All Lists]