Bug #167

Sylpheed does not check SSL certificate hostname

Added by Andrew Ayer 10 months ago. Updated 9 months ago.

Status:ClosedStart date:02/24/2014
Priority:HighDue date:
Assignee:Hiroyuki Yamamoto% Done:

0%

Category:SecuritySpent time:-
Target version:3.4

Description

When Sylpheed connects to an IMAP/SMTP/POP server over SSL, it does not check the hostname on the SSL certificate. This is a major security problem, because it means an attacker can man-in-the-middle a SSL connection by purchasing a valid certificate for his/her own domain and using it in the attack. Since the certificate is valid, Sylpheed accepts it, even though it's not for the hostname Sylpheed thinks it's connecting to.

The attached patch fixes the problem by making sure the name on the certificate matches the hostname Sylpheed is connecting to. The code to properly check a certificate's hostname with OpenSSL is not simple, so I used the MIT-licensed example code provided here: https://github.com/iSECPartners/ssl-conservatory

sylpheed-check-ssl-hostname.patch Magnifier (7.85 KB) Andrew Ayer, 02/24/2014 03:59 AM

History

#1 Updated by Hiroyuki Yamamoto 10 months ago

  • Status changed from New to Confirmed
  • Assignee set to Hiroyuki Yamamoto
  • Target version set to 3.4

Hello,

Thanks for the patch. I will add the SSL certificate hostname check in the next 3.4 release.
(and sorry about not replying your e-mail you have sent last month.)

#2 Updated by Hiroyuki Yamamoto 10 months ago

  • Status changed from Confirmed to In Progress

#3 Updated by Hiroyuki Yamamoto 10 months ago

  • Status changed from In Progress to Resolved

Fixed in r3318:3323.

  • separated additional code to independent files because of different license
  • modified naming convention to match LibSylph
  • used X509_V_ERR_APPLICATION_VERIFICATION to represent hostname mismatch
  • modified SOCKS proxy code to validate with endpoint hostname

#4 Updated by Hiroyuki Yamamoto 9 months ago

  • Status changed from Resolved to In Progress

It was found that the patch does not check wildcard certificate (*.some.domain) at all.
I'll add it until next release.

#5 Updated by Hiroyuki Yamamoto 9 months ago

  • Status changed from In Progress to Resolved

Fixed in 3.4.0rc.

#6 Updated by Hiroyuki Yamamoto 9 months ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF