Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should not use canonical hostname when doing TLS certificate checks #20

Open
william-perry opened this issue Mar 15, 2024 · 1 comment
Open

Should not use canonical hostname when doing TLS certificate checks #20

william-perry opened this issue Mar 15, 2024 · 1 comment

Comments

@william-perry
Copy link

libesmtp will currently fail if trying to use smtp.office365.com as the outgoing mail server because it fails the SAN checks in tlsutil.c. This is because check_acceptable_security in smtp-tls.c has this logic:

   /* use canonic hostname for validation if available */
  host = session->canon != NULL ? session->canon : session->host;

But for smtp.office365.com that canonical hostname ends up being SJC-efz.ms-acdc.office.com, which does not match any of the SANs because the wildcard for *.office.com (correctly) only matches one hostname segment.

host smtp.office365.com
smtp.office365.com is an alias for outlook.office365.com.
outlook.office365.com is an alias for ooc-g2.tm-4.office.com.
ooc-g2.tm-4.office.com is an alias for outlook.ms-acdc.office.com.
outlook.ms-acdc.office.com is an alias for SJC-efz.ms-acdc.office.com.
SJC-efz.ms-acdc.office.com has address 52.96.166.162
SJC-efz.ms-acdc.office.com has address 52.96.110.82
SJC-efz.ms-acdc.office.com has address 52.96.110.18
SJC-efz.ms-acdc.office.com has address 52.96.110.66
SJC-efz.ms-acdc.office.com has IPv6 address 2603:1036:307:48e1::2
SJC-efz.ms-acdc.office.com has IPv6 address 2603:1036:307:486c::2
SJC-efz.ms-acdc.office.com has IPv6 address 2603:1036:307:486d::2
SJC-efz.ms-acdc.office.com has IPv6 address 2603:1036:307:2874::2
@william-perry
Copy link
Author

Patch is trivial:

diff --git a/smtp-tls.c b/smtp-tls.c
index 360c12b..8edbd1c 100644
--- a/smtp-tls.c
+++ b/smtp-tls.c
@@ -537,8 +537,13 @@ check_acceptable_security (smtp_session_t session, SSL *ssl)
   long vfy_result;
   int ok;
 
-  /* use canonic hostname for validation if available */
-  host = session->canon != NULL ? session->canon : session->host;
+  // Do not use canonical name here
+  //
+  // Otherwise smtp.office365.com fails to match because it goes
+  // through a bunch of CNAME lookups to a cloud instance that has a
+  // canonical name like SJC-efz.ms-acdc.office.com, which will not
+  // match any of the SANs in its cert.
+  host = session->host;
 
   /* Check certificate validity.
    */

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@william-perry