[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] OS X Mail.app Insecure TLS Usage With SMTPS?
From:       Sabahattin Gucukoglu <mail () sabahattin-gucukoglu ! com>
Date:       2010-10-31 4:47:43
Message-ID: 48DF22D0-851E-4F61-88F4-82CA4DEF43E7 () sabahattin-gucukoglu ! com
[Download RAW message or body]

I'm getting a bit panicky here.

I just upgraded to a CA-issued certificate.  They require an intermediate CA not in OS roots.  \
I installed it on all my services, but my SMTP proxy only advertises the primary (server) \
certificate.  I noticed this when verifying several services a short while later, but not, I \
suddenly realised, without having successfully sent some mail first through that same server \
and proxy.

I checked Keychain access, nothing.  Tried to find a way to clear any kind of state or cache, \
nothing.  I looked at my old certificate, and notice that I'd never have seen this before, \
since I would have readily imported the CA key when installing it.

Now, could somebody please see if Mail.app will connect to custom port n of choice, SSL \
enabled, running Direct SSL, with "Password" (i.e., plain) authentication, and not bat an \
eyelid when the cert is invalid because it's unverified at the first hop?  Extra points for \
testing various versions (I'm on 10.6.4 latest), or for seeing if completely invalidating the \
cert would bother it either (at least one of my other clients doesn't even *try*, but it's not \
an important one) ...

Thank you!

Cheers,
Sabahattin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]