aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2009-08-05 23:05:54 +0000
committerMatthias Andree <matthias.andree@gmx.de>2009-08-05 23:05:54 +0000
commit9d1fb0f612794c8287ed5a8f0a53e71fcb3ae5fa (patch)
treed4d9aaf0d117457a0636c002f1201165f623305f
parentdefebaa488f22c77009c7dfdd38045138baa342c (diff)
downloadfetchmail-9d1fb0f612794c8287ed5a8f0a53e71fcb3ae5fa.tar.gz
fetchmail-9d1fb0f612794c8287ed5a8f0a53e71fcb3ae5fa.tar.bz2
fetchmail-9d1fb0f612794c8287ed5a8f0a53e71fcb3ae5fa.zip
Revise section 2 for readability, mention recommended settings.
svn path=/branches/BRANCH_6-3/; revision=5395
-rw-r--r--fetchmail-SA-2009-01.txt25
1 files changed, 19 insertions, 6 deletions
diff --git a/fetchmail-SA-2009-01.txt b/fetchmail-SA-2009-01.txt
index 93622c99..f1293e53 100644
--- a/fetchmail-SA-2009-01.txt
+++ b/fetchmail-SA-2009-01.txt
@@ -50,13 +50,26 @@ run time.
Moxie Marlinspike demonstrated in July 2009 that some CAs would sign
certificates that contain embedded NUL characters in the Common Name or
-subjectAltName fields of ITU-T X.509 certificates. Applications what
-would treat such strings in X.509 as NUL-terminated C strings (rather
-than strings that contain an explicit length field) would only
-check the part up to and excluding the NUL character, so that
+subjectAltName fields of ITU-T X.509 certificates.
+
+Applications that would treat such X.509 strings as NUL-terminated C
+strings (rather than strings that contain an explicit length field)
+would only check the part up to and excluding the NUL character, so that
certificate names such as www.good.example\0www.bad.example.com would be
-mistaken as a certificate name for www.good.example. The CA however
-would usually sign example.com and not care about the subdomain.
+mistaken as a certificate name for www.good.example. fetchmail also had
+this design and implementation flaw.
+
+Note that fetchmail should always be forced to use strict certificate
+validation through either of these option combinations:
+
+ --sslcertck --ssl --sslproto ssl3 (for service on SSL-wrapped ports)
+or
+ --sslcertck --sslproto tls1 (for STARTTLS-based services)
+
+(These are for the command line, in the rcfile, you will need to omit
+the respective leading --).
+
+The default is relaxed checking for compatibility with historic versions.
3. Solution