Opened 2 years ago
Last modified 14 months ago
#65297 assigned defect
Alpine fails to validate certs with no subject_alt_name extensions
Reported by: | steven-michaud (Steven Michaud) | Owned by: | jcvernaleo (John C. Vernaleo) |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | |
Keywords: | Cc: | jerryyhom, cooljeanius (Eric Gallager) | |
Port: | alpine |
Description
When using TLS to connect to a mail server, by default Alpine tries to validate the server's certificate. But it currently fails with a perfectly valid cert that doesn't have any subject_alt_name
extensions. The error is "Server name does not match certificate cert", even though the name does match.
Commercial IMAP servers tend to have very complex environments, and their certs usually have multiple subject_alt_name
extensions. Alpine currently works with those, as long as at least one subject_alt_name
matches the name of the server Alpine is trying to connect to. But I've set up an IMAP server on my own private network, using a CA server and certs that I created "by hand" (using only openssl commands). Those certs don't have any extensions at all. So Alpine is unable to validate my IMAP server's extension, even though its CN does match my server's name.
This problem is caused by faulty logic in Alpine's ssl_validate_cert()
function in ssl_unix.c
. I have a patch to fix this. I'll say more in a later comment.
Attachments (2)
Change History (12)
comment:1 Changed 2 years ago by steven-michaud (Steven Michaud)
Changed 2 years ago by steven-michaud (Steven Michaud)
Attachment: | patch-alpine-validate-cert-logging.diff added |
---|
Patch to Alpine 2.25 to log how this bug happens
comment:2 Changed 2 years ago by steven-michaud (Steven Michaud)
I'll attach a patch to Alpine 2.25 that fixes this bug. I tried to neaten up the logic, and alter it as little as possible. Here's pseudo-code that shows how it makes ssl_validate_cert()
work:
for (each field in `cert`'s "subject name") { if (field matches `host`) { return NIL (success) } } for (each of `cert`'s `subject_alt_name` extensions) { if (`subject_alt_name` matches `host`) { return NIL (success) } } return error;
Changed 2 years ago by steven-michaud (Steven Michaud)
Attachment: | patch-alpine-validate-cert.diff added |
---|
Patch to Alpine 2.25 that fixes this bug
comment:3 Changed 2 years ago by steven-michaud (Steven Michaud)
Once my patch has been reviewed and landed, I'll send it upstream -- presumably by emailing it to Eduardo Chappa.
comment:4 Changed 2 years ago by jmroot (Joshua Root)
Cc: | jerryyhom added |
---|---|
Owner: | set to jcvernaleo |
Status: | new → assigned |
comment:5 Changed 2 years ago by jerryyhom
Hi Steven. I think you misunderstand how MacPorts operates. We maintain the MacPorts alpine portfile, not the Alpine code. There is zero chance we would incorporate such a patch into the portfile. The best path for everyone here is for you to send the bug report/patch directly upstream to Eduardo via the Alpine mailing list.
comment:6 Changed 2 years ago by steven-michaud (Steven Michaud)
Fair enough. Macports has a very nice site for bug reporting, and I thought I could push my luck.
I actually did first look at Alpine's home page (http://alpine.x10host.com/) for some way to report bugs, but didn't find any.
As best I can tell there's no "Alpine mailing list". Rather, there are Alpine Linux mailing lists (https://lists.alpinelinux.org/). And Alpine Linux has its own bug reporting site (https://gitlab.alpinelinux.org/alpine/aports/-/issues?sort=created_date&state=opened). The source code I patched is also used in Linux and Unix, so I could report this bug there. But first I'll email Eduardo Chappa and ask him how to proceed.
comment:7 Changed 2 years ago by jcvernaleo (John C. Vernaleo)
alpine linux and alpine the mail client are totally unrelated projects so their mailings list won't be of much help. Emailing Eduardo Chappa is probably the right next step.
comment:8 Changed 2 years ago by steven-michaud (Steven Michaud)
Oops, yes. Alpine Linux seems to be a Linux distro.
I'll email Eduardo Chappa.
comment:9 Changed 2 years ago by steven-michaud (Steven Michaud)
Summary: | Alpine fails to validate certs with no extensions → Alpine fails to validate certs with no subject_alt_name extensions |
---|
comment:10 Changed 14 months ago by cooljeanius (Eric Gallager)
Cc: | cooljeanius added |
---|
Here's pseudo-code to show how
ssl_validate_cert()
currently works (on Openssl 1.1.0 or greater):This is badly messed up. If
cert
doesn't have anysubject_alt_name
extensions,ssl_validate_cert()
fails at the first "subject name" field that doesn't matchhost
. Even if it does have these extensions, and one matches,ssl_validate_cert()
unnecessarily continues iterating through the "subject name" fields.I'll attach a logging patch that shows this in action. It will log to
.pine-debug1
if you run Alpine with-d 9
.