mailing list archives
Re: CVE request: sSMTP doesn't validate server certificates
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 11 Oct 2012 11:00:51 -0600
-----BEGIN PGP SIGNED MESSAGE-----
On 10/11/2012 09:43 AM, Vincent Danen wrote:
* [2012-10-10 11:59:13 +0200] Laurent Bigonville wrote:
It seems that sSMTP is not checking the server certificate when
connecting. This is quite annoying as one of the main ssmtp
purpose is to be used on satellite systems that could be
connected to untrusted networks.
This has been reported (with a proposed patch) to the Debian BTS
Could you please allocate a CVE number for this?
I'm not sure it deserves one.
If you look at the TLS file in the source tarball, it indicates
that checking server certificates is not implemented and is
something to add in the future:
TODO: * Check server certificate for changes and notify about it. *
Diffrent Certificate and Key file?
Since sSMTP clearly indicates that this feature is missing and
unsupported, then it was designed to _not_ do certificate
checking. Regardless of how good or bad that is, it was a design
choice (to leave it for a later date), and it's also clearly
To me, that doesn't seem like a security flaw (as in sSMTP was
designed to check certificates and didn't or didn't do a good job
Agreed, it's documented as a missing capability, so adding this counts
as security hardening, not a security fix. No CVE assigned.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----