'[Mutt] #3510: Expiration date of an SSL certificate not checked'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mutt-dev
Subject:    [Mutt] #3510: Expiration date of an SSL certificate not checked
From:       Mutt <fleas () mutt ! org>
Date:       2011-04-10 13:59:45
Message-ID: 037.802143fb52e939b2dcf1ea3630ec05dc () mutt ! org
[Download RAW message or body]

#3510: Expiration date of an SSL certificate not checked
--------------------+-------------------------------------------------------
 Reporter:  wodny   |       Owner:  mutt-dev
     Type:  defect  |      Status:  new     
 Priority:  major   |   Milestone:          
Component:  mutt    |     Version:  1.5.20  
 Keywords:          |  
--------------------+-------------------------------------------------------
 My mail account provider netmark.pl (also using a name r1.2box.pl) has a
 mail server supporting IMAP with TLS. It is available at wodny.org:143.
 For some time the server used an expired certificate and something unusual
 happened. Fetchmail, esmtp and stunnel refused to connect, but mutt-1.5.20
 still allowed that.

 The testing environment could be easily created, because the new
 certificate is valid only for one year.

 There were two certificates presented during the connection:
  0 s:[...]/CN=r1.2box.pl
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
  1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority


 The ssl_verify_dates option was enabled and Mutt recompiled by me entered
 the code checking certificates' dates. Still, this did not caused the
 process of connecting stop. Recompiled version was used for debug.
 Originally a Debian package version was used.



 Interesting part seems to be at the end of the mutt_ssl_gnutls.c file...

 The loop beginning at line 1003 does not do anything here, as the Equifax
 certificate is in /etc/ssl/certs and it is valid. The certificate issued
 to r1.2box.pl is not stored on the disk. The condition "if (savedcert)" at
 line 1008 is never true.

 Then code goes as far as to line 1032, where it returns 1 (everything OK)
 but being at the stage of checking the root CA.

 So the certificate issued by Equifax to r1.2box.pl is not checked.



 I have not been prompted if I would like add an exception as it usually
 happens.



 Debian Security Team has been informed. There has been the CVE-2011-0429
 id assigned to this issue.

 Bug also present in the 1.5.21 version.

 Might be associated with bug #3506.

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3510>
Mutt <http://www.mutt.org/>
The Mutt mail user agent


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic