Alpine fails to validate certs with no subject_alt_name extensions

[steven-michaud (Steven Michaud)]

When using TLS to connect to a mail server, by default Alpine tries to validate the server's certificate. But it currently fails with a perfectly valid cert that doesn't have any subject_alt_name extensions. The error is "Server name does not match certificate cert", even though the name does match.

Commercial IMAP servers tend to have very complex environments, and their certs usually have multiple subject_alt_name extensions. Alpine currently works with those, as long as at least one subject_alt_name matches the name of the server Alpine is trying to connect to. But I've set up an IMAP server on my own private network, using a CA server and certs that I created "by hand" (using only openssl commands). Those certs don't have any extensions at all. So Alpine is unable to validate my IMAP server's extension, even though its CN does match my server's name.

This problem is caused by faulty logic in Alpine's ssl_validate_cert() function in ssl_unix.c. I have a patch to fix this. I'll say more in a later comment.

[steven-michaud (Steven Michaud)]

Here's pseudo-code to show how ssl_validate_cert() currently works (on Openssl 1.1.0 or greater):

for (each field in `cert`'s "subject name") {
  var ret = NIL
  if (field matches `host`) {
    return NIL (success)
  } else {
    ret = error
    for (each of `cert`'s `subject_alt_name` extensions) {
      if (`subject_alt_name` matches `host`) {
        ret = NIL
        break
      }      
    }
    if (ret != NIL) {
      return error
    }
  }
}
return NIL (success)

This is badly messed up. If cert doesn't have any subject_alt_name extensions, ssl_validate_cert() fails at the first "subject name" field that doesn't match host. Even if it does have these extensions, and one matches, ssl_validate_cert() unnecessarily continues iterating through the "subject name" fields.

I'll attach a logging patch that shows this in action. It will log to .pine-debug1 if you run Alpine with -d 9.

[steven-michaud (Steven Michaud)]

Patch to Alpine 2.25 to log how this bug happens

[steven-michaud (Steven Michaud)]

I'll attach a patch to Alpine 2.25 that fixes this bug. I tried to neaten up the logic, and alter it as little as possible. Here's pseudo-code that shows how it makes ssl_validate_cert() work:

for (each field in `cert`'s "subject name") {
  if (field matches `host`) {
    return NIL (success)
  }
}
for (each of `cert`'s `subject_alt_name` extensions) {
  if (`subject_alt_name` matches `host`) {
    return NIL (success)
  }
}
return error;

[steven-michaud (Steven Michaud)]

Patch to Alpine 2.25 that fixes this bug

[steven-michaud (Steven Michaud)]

Once my patch has been reviewed and landed, I'll send it upstream -- presumably by emailing it to Eduardo Chappa.

[jerryyhom]

Hi Steven. I think you misunderstand how MacPorts operates. We maintain the MacPorts alpine portfile, not the Alpine code. There is zero chance we would incorporate such a patch into the portfile. The best path for everyone here is for you to send the bug report/patch directly upstream to Eduardo via the Alpine mailing list.

[steven-michaud (Steven Michaud)]

Fair enough. Macports has a very nice site for bug reporting, and I thought I could push my luck.

I actually did first look at Alpine's home page (​http://alpine.x10host.com/) for some way to report bugs, but didn't find any.

As best I can tell there's no "Alpine mailing list". Rather, there are Alpine Linux mailing lists (​https://lists.alpinelinux.org/). And Alpine Linux has its own bug reporting site (​https://gitlab.alpinelinux.org/alpine/aports/-/issues?sort=created_date&state=opened). The source code I patched is also used on Linux and Unix, so I could report this bug there. But first I'll email Eduardo Chappa and ask him how to proceed.

[jcvernaleo (John C. Vernaleo)]

alpine linux and alpine the mail client are totally unrelated projects so their mailings list won't be of much help. Emailing Eduardo Chappa is probably the right next step.

[steven-michaud (Steven Michaud)]

Oops, yes. Alpine Linux seems to be a Linux distro.

I'll email Eduardo Chappa.