[MacPorts] #65297: Alpine fails to validate certs with no extensions
MacPorts
noreply at macports.org
Sat Jun 4 22:22:46 UTC 2022
#65297: Alpine fails to validate certs with no extensions
----------------------------+--------------------
Reporter: steven-michaud | Owner: (none)
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Keywords: | Port: alpine
----------------------------+--------------------
When using TLS to connect to a mail server, by default Alpine tries to
validate the server's certificate. But it currently fails with a perfectly
valid cert that doesn't have any `subject_alt_name` extensions. The error
is "Server name does not match certificate cert", even though the name
does match.
Commercial IMAP servers tend to have very complex environments, and their
certs usually have multiple `subject_alt_name` extensions. Alpine
currently works with those, as long as at least one `subject_alt_name`
matches the name of the server Alpine is trying to connect to. But I've
set up an IMAP server on my own private network, using a CA server and
certs that I created "by hand" (using only openssl commands). Those certs
don't have any extensions at all. So Alpine is unable to validate my IMAP
server's extension, even though its CN does match my server's name.
This problem is caused by faulty logic in Alpine's `ssl_validate_cert()`
function in `ssl_unix.c`. I have a patch to fix this. I'll say more in a
later comment.
--
Ticket URL: <https://trac.macports.org/ticket/65297>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list