Opened 2 years ago

Last modified 14 months ago

#65297 assigned defect

Alpine fails to validate certs with no subject_alt_name extensions

Reported by: steven-michaud (Steven Michaud) Owned by: jcvernaleo (John C. Vernaleo)
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc: jerryyhom, cooljeanius (Eric Gallager)
Port: alpine

Description

When using TLS to connect to a mail server, by default Alpine tries to validate the server's certificate. But it currently fails with a perfectly valid cert that doesn't have any subject_alt_name extensions. The error is "Server name does not match certificate cert", even though the name does match.

Commercial IMAP servers tend to have very complex environments, and their certs usually have multiple subject_alt_name extensions. Alpine currently works with those, as long as at least one subject_alt_name matches the name of the server Alpine is trying to connect to. But I've set up an IMAP server on my own private network, using a CA server and certs that I created "by hand" (using only openssl commands). Those certs don't have any extensions at all. So Alpine is unable to validate my IMAP server's extension, even though its CN does match my server's name.

This problem is caused by faulty logic in Alpine's ssl_validate_cert() function in ssl_unix.c. I have a patch to fix this. I'll say more in a later comment.

Attachments (2)

patch-alpine-validate-cert-logging.diff (1.4 KB) - added by steven-michaud (Steven Michaud) 2 years ago.
Patch to Alpine 2.25 to log how this bug happens
patch-alpine-validate-cert.diff (1.7 KB) - added by steven-michaud (Steven Michaud) 2 years ago.
Patch to Alpine 2.25 that fixes this bug

Download all attachments as: .zip

Change History (12)

comment:1 Changed 2 years ago by steven-michaud (Steven Michaud)

Here's pseudo-code to show how ssl_validate_cert() currently works (on Openssl 1.1.0 or greater):

for (each field in `cert`'s "subject name") {
  var ret = NIL
  if (field matches `host`) {
    return NIL (success)
  } else {
    ret = error
    for (each of `cert`'s `subject_alt_name` extensions) {
      if (`subject_alt_name` matches `host`) {
        ret = NIL
        break
      }      
    }
    if (ret != NIL) {
      return error
    }
  }
}
return NIL (success)

This is badly messed up. If cert doesn't have any subject_alt_name extensions, ssl_validate_cert() fails at the first "subject name" field that doesn't match host. Even if it does have these extensions, and one matches, ssl_validate_cert() unnecessarily continues iterating through the "subject name" fields.

I'll attach a logging patch that shows this in action. It will log to .pine-debug1 if you run Alpine with -d 9.

Last edited 2 years ago by steven-michaud (Steven Michaud) (previous) (diff)

Changed 2 years ago by steven-michaud (Steven Michaud)

Patch to Alpine 2.25 to log how this bug happens

comment:2 Changed 2 years ago by steven-michaud (Steven Michaud)

I'll attach a patch to Alpine 2.25 that fixes this bug. I tried to neaten up the logic, and alter it as little as possible. Here's pseudo-code that shows how it makes ssl_validate_cert() work:

for (each field in `cert`'s "subject name") {
  if (field matches `host`) {
    return NIL (success)
  }
}
for (each of `cert`'s `subject_alt_name` extensions) {
  if (`subject_alt_name` matches `host`) {
    return NIL (success)
  }
}
return error;
Last edited 2 years ago by steven-michaud (Steven Michaud) (previous) (diff)

Changed 2 years ago by steven-michaud (Steven Michaud)

Patch to Alpine 2.25 that fixes this bug

comment:3 Changed 2 years ago by steven-michaud (Steven Michaud)

Once my patch has been reviewed and landed, I'll send it upstream -- presumably by emailing it to Eduardo Chappa.

comment:4 Changed 2 years ago by jmroot (Joshua Root)

Cc: jerryyhom added
Owner: set to jcvernaleo
Status: newassigned

comment:5 Changed 2 years ago by jerryyhom

Hi Steven. I think you misunderstand how MacPorts operates. We maintain the MacPorts alpine portfile, not the Alpine code. There is zero chance we would incorporate such a patch into the portfile. The best path for everyone here is for you to send the bug report/patch directly upstream to Eduardo via the Alpine mailing list.

comment:6 Changed 2 years ago by steven-michaud (Steven Michaud)

Fair enough. Macports has a very nice site for bug reporting, and I thought I could push my luck.

I actually did first look at Alpine's home page (http://alpine.x10host.com/) for some way to report bugs, but didn't find any.

As best I can tell there's no "Alpine mailing list". Rather, there are Alpine Linux mailing lists (https://lists.alpinelinux.org/). And Alpine Linux has its own bug reporting site (https://gitlab.alpinelinux.org/alpine/aports/-/issues?sort=created_date&state=opened). The source code I patched is also used in Linux and Unix, so I could report this bug there. But first I'll email Eduardo Chappa and ask him how to proceed.

Version 1, edited 2 years ago by steven-michaud (Steven Michaud) (previous) (next) (diff)

comment:7 Changed 2 years ago by jcvernaleo (John C. Vernaleo)

alpine linux and alpine the mail client are totally unrelated projects so their mailings list won't be of much help. Emailing Eduardo Chappa is probably the right next step.

comment:8 Changed 2 years ago by steven-michaud (Steven Michaud)

Oops, yes. Alpine Linux seems to be a Linux distro.

I'll email Eduardo Chappa.

comment:9 Changed 2 years ago by steven-michaud (Steven Michaud)

Summary: Alpine fails to validate certs with no extensionsAlpine fails to validate certs with no subject_alt_name extensions

comment:10 Changed 14 months ago by cooljeanius (Eric Gallager)

Cc: cooljeanius added
Note: See TracTickets for help on using tickets.