Sylpheed does not check SSL certificate hostname
|Assignee:||Hiroyuki Yamamoto||% Done:|
When Sylpheed connects to an IMAP/SMTP/POP server over SSL, it does not check the hostname on the SSL certificate. This is a major security problem, because it means an attacker can man-in-the-middle a SSL connection by purchasing a valid certificate for his/her own domain and using it in the attack. Since the certificate is valid, Sylpheed accepts it, even though it's not for the hostname Sylpheed thinks it's connecting to.
The attached patch fixes the problem by making sure the name on the certificate matches the hostname Sylpheed is connecting to. The code to properly check a certificate's hostname with OpenSSL is not simple, so I used the MIT-licensed example code provided here: https://github.com/iSECPartners/ssl-conservatory
#1 Updated by Hiroyuki Yamamoto 7 months ago
- Status changed from New to Confirmed
- Assignee set to Hiroyuki Yamamoto
- Target version set to 3.4
Thanks for the patch. I will add the SSL certificate hostname check in the next 3.4 release.
(and sorry about not replying your e-mail you have sent last month.)
#3 Updated by Hiroyuki Yamamoto 7 months ago
- Status changed from In Progress to Resolved
Fixed in r3318:3323.
- separated additional code to independent files because of different license
- modified naming convention to match LibSylph
- used X509_V_ERR_APPLICATION_VERIFICATION to represent hostname mismatch
- modified SOCKS proxy code to validate with endpoint hostname