[pkg-fetchmail-maint] Bug#201113: marked as done (fetchmail is
missing a check for Subject Alternative Name (TLS cert.))
Debian Bug Tracking System
owner at bugs.debian.org
Fri Jan 13 12:48:12 UTC 2006
Your message dated Fri, 13 Jan 2006 13:37:29 +0100
with message-id <20060113123729.GA29265 at merlin.emma.line.org>
and subject line Fixed: fetchmail is missing a check for Subject Alternative Name (TLS cert.)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Jul 2003 15:28:43 +0000
>From ernie at atari.antcom.de Sun Jul 13 10:28:31 2003
Return-path: <ernie at atari.antcom.de>
Received: from pd9e7de45.dip.t-dialin.net (sbo-fido.de) [217.231.222.69]
by master.debian.org with esmtp (Exim 3.35 1 (Debian))
id 19bim7-0002bM-00; Sun, 13 Jul 2003 10:28:31 -0500
Received: (qmail 31420 invoked from network); 13 Jul 2003 15:28:28 -0000
Received: from unknown (HELO atari.antcom.de) (192.168.1.99)
by 192.168.1.98 with SMTP; 13 Jul 2003 15:28:28 -0000
Received: from ernie by atari.antcom.de with local (Exim 3.36 #1 (Debian))
id 19bim4-0001Iy-00; Sun, 13 Jul 2003 17:28:28 +0200
Content-Type: multipart/mixed; boundary="===============1333931622=="
MIME-Version: 1.0
From: Roland Stigge <stigge at antcom.de>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: fetchmail is missing a check for Subject Alternative Name (TLS cert.)
X-Mailer: reportbug 2.18
Date: Sun, 13 Jul 2003 17:28:27 +0200
Message-Id: <E19bim4-0001Iy-00 at atari.antcom.de>
Sender: Roland Stigge <ernie at atari.antcom.de>
Delivered-To: submit at bugs.debian.org
X-Spam-Status: No, hits=-12.3 required=4.0
tests=BAYES_10,HAS_PACKAGE,PATCH_UNIFIED_DIFF
autolearn=ham version=2.53-bugs.debian.org_2003_06_27
X-Spam-Level:
X-Spam-Checker-Version: SpamAssassin 2.53-bugs.debian.org_2003_06_27 (1.174.2.15-2003-03-30-exp)
This is a multi-part MIME message sent by reportbug.
--===============1333931622==
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="ISO-8859-15"
Content-Disposition: inline
Package: fetchmail
Version: 6.2.2-3.1
Severity: normal
Tags: upstream patch
Hi,
the administrators of my "ISP" changed the CommonName of the mail
server's certificate. Since then, I get the following warnings when
fetching my mail:
> =====
> fetchmail: Server CommonName mismatch:
> (sigma|sigma2|mailslv1).informatik.hu-berlin.de !=
> sigma.informatik.hu-berlin.de
> fetchmail: Server CommonName mismatch:
> (sigma|sigma2|mailslv1).informatik.hu-berlin.de !=
> sigma.informatik.hu-berlin.de
> fetchmail: Server CommonName mismatch:
> (sigma|sigma2|mailslv1).informatik.hu-berlin.de !=
> sigma.informatik.hu-berlin.de
> =====
After that, the program proceeds fine, but I get annoying warning mails
generated because of this stderr messages. I asked them about this crazy
Server Name ("(sigma|sigma2|mailslv1).informatik.hu-berlin.de") and they
said that this way, they support old Netscape versions which interpret
the CommonName as RegExp, and that after RFC 2818, the "Subject
Alternative Name" should be checked _before_ the CommonName. (In my
opinion, RFC 2595 is more appropriate, but basically means the same.)
They said that I would first have to check the Subject Alternative Name
to eliminate this problem. OK, I prepared a small patch for fetchmail
(see Attachment). Unfortunately, it uses x509v3.h instead of x509.h
(well - possibly needed anyway someday), but works quite well. :)
What do you think? In the case that you are sure that this one shouldn't
go into fetchmail, please help me to convince our admins not to use
CommonNames like the aforementioned. But then, you should also explain
why to ignore the corresponding RFCs. :-)
Thanks!
bye,
Roland
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux atari 2.4.20 #1 Fri Apr 4 11:15:24 CEST 2003 i686
Locale: LANG=en_IE at euro, LC_CTYPE=en_IE at euro
Versions of packages fetchmail depends on:
ii adduser 3.50 Add and remove users and groups
ii base-files 3.0.8 Debian base system miscellaneous f
ii debconf 1.2.42 Debian configuration management sy
ii debianutils 2.5.4 Miscellaneous utilities specific t
ii libc6 2.3.1-17 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7b-2 SSL shared libraries
-- debconf information excluded
--===============1333931622==
Content-Type: text/x-c; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="/home/ernie/homepage/computer/download/fetchmail-6.2.2subjectAltName.patch"
--- socket.c 2003-02-28 11:57:25.000000000 +0100
+++ socket.c.new 2003-07-09 21:30:00.000000000 +0200
@@ -504,7 +504,7 @@
#include "openssl/ssl.h"
#include "openssl/err.h"
#include "openssl/pem.h"
-#include "openssl/x509.h"
+#include "openssl/x509v3.h"
static SSL_CTX *_ctx = NULL;
static SSL *_ssl_context[FD_SETSIZE];
@@ -755,14 +755,44 @@
char *p1 = buf;
char *p2 = _ssl_server_cname;
int n;
+ int matched = 0;
+ STACK_OF(GENERAL_NAME) *gens;
+ /* RFC 2595 section 2.4: find a matching name
+ * first find a match among alternative names */
+ gens = X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
+ if (gens) {
+ int i, r;
+ for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
+ const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
+ if (gn->type == GEN_DNS) {
+ char *p1 = gn->d.ia5->data;
+ char *p2 = _ssl_server_cname;
+ if (outlevel == O_VERBOSE)
+ report(stderr, "Subject Alternative Name: %s\n", p1);
+ if (*p1 == '*') {
+ ++p1;
+ n = strlen(p2) - strlen(p1);
+ if (n >= 0)
+ p2 += n;
+ }
+ if (0 == strcasecmp(p1, p2)) {
+ matched = 1;
+ }
+ }
+ }
+ sk_GENERAL_NAME_free(gens);
+ }
if (*p1 == '*') {
++p1;
n = strlen(p2) - strlen(p1);
if (n >= 0)
p2 += n;
}
- if (0 != strcasecmp(p1, p2)) {
+ if (0 == strcasecmp(p1, p2)) {
+ matched = 1;
+ }
+ if (!matched) {
report(stderr,
GT_("Server CommonName mismatch: %s != %s\n"),
buf, _ssl_server_cname );
--===============1333931622==--
---------------------------------------
Received: (at 201113-close) by bugs.debian.org; 13 Jan 2006 12:38:06 +0000
>From matthias.andree at gmx.de Fri Jan 13 04:38:04 2006
Return-path: <matthias.andree at gmx.de>
Received: from mail.gmx.de ([213.165.64.21] helo=mail.gmx.net)
by spohr.debian.org with smtp (Exim 4.50)
id 1ExOBv-0005Oy-MJ
for 201113-close at bugs.debian.org; Fri, 13 Jan 2006 04:38:04 -0800
Received: (qmail invoked by alias); 13 Jan 2006 12:37:32 -0000
Received: from p509143BD.dip0.t-ipconnect.de (EHLO m2a2.dyndns.org) [80.145.67.189]
by mail.gmx.net (mp002) with SMTP; 13 Jan 2006 13:37:32 +0100
X-Authenticated: #428038
Received: from localhost (localhost [127.0.0.1])
by merlin.emma.line.org (Postfix) with ESMTP id A7F6C2004F6
for <201113-close at bugs.debian.org>; Fri, 13 Jan 2006 13:37:31 +0100 (CET)
Received: from m2a2.dyndns.org ([127.0.0.1])
by localhost (m2a2.dyndns.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 26370-14 for <201113-close at bugs.debian.org>;
Fri, 13 Jan 2006 13:37:29 +0100 (CET)
Received: by merlin.emma.line.org (Postfix, from userid 500)
id 9B38E200A93; Fri, 13 Jan 2006 13:37:29 +0100 (CET)
Date: Fri, 13 Jan 2006 13:37:29 +0100
From: Matthias Andree <matthias.andree at gmx.de>
To: 201113-close at bugs.debian.org
Subject: Fixed: fetchmail is missing a check for Subject Alternative Name (TLS cert.)
Message-ID: <20060113123729.GA29265 at merlin.emma.line.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-PGP-Key: http://home.pages.de/~mandree/keys/GPGKEY.asc
User-Agent: Mutt/1.5.11
X-Virus-Scanned: amavisd-new at emma.line.org
X-Y-GMX-Trusted: 0
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-2.0 required=4.0 tests=BAYES_00,RCVD_IN_SORBS
autolearn=no version=2.60-bugs.debian.org_2005_01_02
The bug you reported appears to be fixed by the recent upload of fetchmail 6.3.1-1.
(Apparently the Changelog lacked the magic "Closes: 201113" words).
--
Matthias Andree
More information about the pkg-fetchmail-maint
mailing list