Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

OS X Mail.app Insecure TLS Usage With SMTPS?
From: Sabahattin Gucukoglu <mail () sabahattin-gucukoglu com>
Date: Sun, 31 Oct 2010 04:47:43 +0000

I'm getting a bit panicky here.

I just upgraded to a CA-issued certificate.  They require an intermediate CA not in OS roots.  I installed it on all my 
services, but my SMTP proxy only advertises the primary (server) certificate.  I noticed this when verifying several 
services a short while later, but not, I suddenly realised, without having successfully sent some mail first through 
that same server and proxy.

I checked Keychain access, nothing.  Tried to find a way to clear any kind of state or cache, nothing.  I looked at my 
old certificate, and notice that I'd never have seen this before, since I would have readily imported the CA key when 
installing it.

Now, could somebody please see if Mail.app will connect to custom port n of choice, SSL enabled, running Direct SSL, 
with "Password" (i.e., plain) authentication, and not bat an eyelid when the cert is invalid because it's unverified at 
the first hop?  Extra points for testing various versions (I'm on 10.6.4 latest), or for seeing if completely 
invalidating the cert would bother it either (at least one of my other clients doesn't even *try*, but it's not an 
important one) ...

Thank you!

Cheers,
Sabahattin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • OS X Mail.app Insecure TLS Usage With SMTPS? Sabahattin Gucukoglu (Oct 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault