Re: smtp(1) certificate validation

Fri, 06 Sep 2019 05:59:17 -0700 

On Fri, Sep 06, 2019 at 08:41:21AM +0200, Eric Faurot wrote:
> Hi,
> 
> This patch adds the missing bits for verifying the server certificate
> in smtp(1).
>[...]

Whilst this is a great improvement, it doesn't seem to be quite right...


For sites with valid certificates, things seem OK:

        $ ./smtp -nv -s smtps://smtp.fastmail.com
        trying host 66.111.4.139 port 465...
        valid certificate
        connection ready...
        connection closed...
        trying host 66.111.4.140 port 465...
        valid certificate
        connection ready...
        connection closed...
        done...

        $ ./smtp -nv -s smtps://mail.aussiebroadband.com.au
        trying host 202.142.142.238 port 465...
        valid certificate
        connection ready...
        connection closed...
        trying host 202.142.142.239 port 465...
        valid certificate
        connection ready...
        connection closed...
        trying host 2403:5800:1:3::25 port 465...
        valid certificate
        connection ready...
        connection closed...
        trying host 2403:5800:1:4::25 port 465...
        valid certificate
        connection ready...
        connection closed...
        done...

        $ ./smtp -nv -s smtps://mail.internode.on.net
        trying host 203.16.214.182 port 465...
        valid certificate
        connection ready...
        connection closed...
        done...


[I don't know of any mail servers with invalid certs against which
I can test, so I've tried some web servers.]

For invalid certificates, the result sometimes does not correspond with
that from nc(1):

        $ ./smtp -nv -s smtps://devio.us:https
        trying host 74.81.181.124 port 443...
        certificate validation error 10
        connection error: Invalid server certificate
        done...
        $ nc -cvz devio.us https
        Connection to devio.us 443 port [tcp/https] succeeded!
        nc: tls handshake failed (certificate verification failed: certificate 
has expired)

        $ ./smtp -nv -s smtps://www.nokia.com.au:https
        trying host 180.150.2.201 port 443...
        valid certificate
        ^C
        $ nc -cvz www.nokia.com.au https
        Connection to www.nokia.com.au 443 port [tcp/https] succeeded!
        nc: tls handshake failed (name `www.nokia.com.au' not present in server 
certificate)

        $ ./smtp -nv -s smtps://www.on.net:https
        trying host 150.101.140.197 port 443...
        valid certificate
        ^C
        $ nc -cvz www.on.net https
        Connection to www.on.net 443 port [tcp/https] succeeded!
        nc: tls handshake failed (handshake failed: error:14004410:SSL 
routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure)


Thanks,
        Ross

Reply via email to