oss-sec mailing list archives
Re: CVE request: sSMTP doesn't validate server certificates
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 11 Oct 2012 11:00:51 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/11/2012 09:43 AM, Vincent Danen wrote:
* [2012-10-10 11:59:13 +0200] Laurent Bigonville wrote:Hi, It seems that sSMTP is not checking the server certificate when connecting. This is quite annoying as one of the main ssmtp purpose is to be used on satellite systems that could be connected to untrusted networks. This has been reported (with a proposed patch) to the Debian BTS (see [0]) Could you please allocate a CVE number for this? Cheers Laurent Bigonville [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662960I'm not sure it deserves one. If you look at the TLS file in the source tarball, it indicates that checking server certificates is not implemented and is something to add in the future: TODO: * Check server certificate for changes and notify about it. * Diffrent Certificate and Key file? Since sSMTP clearly indicates that this feature is missing and unsupported, then it was designed to _not_ do certificate checking. Regardless of how good or bad that is, it was a design choice (to leave it for a later date), and it's also clearly documented. To me, that doesn't seem like a security flaw (as in sSMTP was designed to check certificates and didn't or didn't do a good job of it).
Agreed, it's documented as a missing capability, so adding this counts as security hardening, not a security fix. No CVE assigned. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQdvtAAAoJEBYNRVNeJnmThPIP/jXLMk2ZFbkW6D+itHm4BhDV 6Me9vqFq5ak0SM9SSj0I6+K2J2ne40oIUBx4HWha355OEP3knVZIwpQAsy448Akb yTHNyYBDuOdahe+ZGvPM0T516BXMfx0B8nnirDY0TGchjShQECuYJzrrcKGm3q76 yACkNfAdUEosW9D+iik+r2mhOaNrEZRjarv5dbUqDrngJzguoJaDkHaZaVEL2oa8 6dHeS0ZzbEysQjHEhlx0hwe9Gla0gUfIq+yJZAywLWhiGwiSLIZD9RqgC4REEsIq BEcAaPkfv5kzINJhdH2YshVoQE4+y7nHhaLBGkJR4pjo0E3AF/r12Vd3NR/PjMv8 mITWCAMMYPZgshYhHDknPhH5k+YFon1Mhf0FlZ2c7yhyT3XU9aTc3h491flMCWbt Yi4uqsaH4PvNePwKDvxIGrjJy71GkN4WTG5eR1o9K7+dkkoY6r/Fd6lMDzhlTKDm ebCt6fDiEf4qFBgogQKJWoKRwmBBqa5UxKYWzw9xmbNNPz3MdxcXU5t7Yc462j4N 0AoU58/3iatReYuSftZvLHRTYpe9x5C1ifh2CXUxuY6V+HkShxu3uIKMYrNh4dgl L4aUETvYriNMjYZZws+N2+cYAUZ/FBY+7fVPfOsTb+IlamBS7daTn1pU0tOFMb2m gl2+SBdo+XihXxYHGlxC =bPeF -----END PGP SIGNATURE-----
Current thread:
- CVE request: sSMTP doesn't validate server certificates Laurent Bigonville (Oct 10)
- Re: CVE request: sSMTP doesn't validate server certificates Vincent Danen (Oct 11)
- Re: CVE request: sSMTP doesn't validate server certificates Kurt Seifried (Oct 11)
- Re: CVE request: sSMTP doesn't validate server certificates Vincent Danen (Oct 11)