Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE request: sSMTP doesn't validate server certificates
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 11 Oct 2012 11:00:51 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2012 09:43 AM, Vincent Danen wrote:
* [2012-10-10 11:59:13 +0200] Laurent Bigonville wrote:

Hi,

It seems that sSMTP is not checking the server certificate when 
connecting. This is quite annoying as one of the main ssmtp
purpose is to be used on satellite systems that could be
connected to untrusted networks.

This has been reported (with a proposed patch) to the Debian BTS
(see [0])

Could you please allocate a CVE number for this?

Cheers

Laurent Bigonville

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662960

I'm not sure it deserves one.

If you look at the TLS file in the source tarball, it indicates
that checking server certificates is not implemented and is
something to add in the future:

TODO: * Check server certificate for changes and notify about it. *
Diffrent Certificate and Key file?

Since sSMTP clearly indicates that this feature is missing and 
unsupported, then it was designed to _not_ do certificate
checking. Regardless of how good or bad that is, it was a design
choice (to leave it for a later date), and it's also clearly
documented.

To me, that doesn't seem like a security flaw (as in sSMTP was
designed to check certificates and didn't or didn't do a good job
of it).

Agreed, it's documented as a missing capability, so adding this counts
as security hardening, not a security fix. No CVE assigned.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQdvtAAAoJEBYNRVNeJnmThPIP/jXLMk2ZFbkW6D+itHm4BhDV
6Me9vqFq5ak0SM9SSj0I6+K2J2ne40oIUBx4HWha355OEP3knVZIwpQAsy448Akb
yTHNyYBDuOdahe+ZGvPM0T516BXMfx0B8nnirDY0TGchjShQECuYJzrrcKGm3q76
yACkNfAdUEosW9D+iik+r2mhOaNrEZRjarv5dbUqDrngJzguoJaDkHaZaVEL2oa8
6dHeS0ZzbEysQjHEhlx0hwe9Gla0gUfIq+yJZAywLWhiGwiSLIZD9RqgC4REEsIq
BEcAaPkfv5kzINJhdH2YshVoQE4+y7nHhaLBGkJR4pjo0E3AF/r12Vd3NR/PjMv8
mITWCAMMYPZgshYhHDknPhH5k+YFon1Mhf0FlZ2c7yhyT3XU9aTc3h491flMCWbt
Yi4uqsaH4PvNePwKDvxIGrjJy71GkN4WTG5eR1o9K7+dkkoY6r/Fd6lMDzhlTKDm
ebCt6fDiEf4qFBgogQKJWoKRwmBBqa5UxKYWzw9xmbNNPz3MdxcXU5t7Yc462j4N
0AoU58/3iatReYuSftZvLHRTYpe9x5C1ifh2CXUxuY6V+HkShxu3uIKMYrNh4dgl
L4aUETvYriNMjYZZws+N2+cYAUZ/FBY+7fVPfOsTb+IlamBS7daTn1pU0tOFMb2m
gl2+SBdo+XihXxYHGlxC
=bPeF
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]