Debian Bug report logs - #662960
ssmtp doesn't validate server TLS certificates

version graph

Package: ssmtp; Maintainer for ssmtp is Anibal Monsalve Salazar <anibal@debian.org>; Source for ssmtp is src:ssmtp.

Reported by: "W. Trevor King" <wking@drexel.edu>

Date: Wed, 7 Mar 2012 16:09:02 UTC

Severity: wishlist

Tags: patch, security

Found in version ssmtp/2.64-5

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#662960; Package ssmtp. (Wed, 07 Mar 2012 16:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "W. Trevor King" <wking@drexel.edu>:
New Bug report received and forwarded. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Wed, 07 Mar 2012 16:09:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "W. Trevor King" <wking@drexel.edu>
To: submit@bugs.debian.org
Subject: ssmpt doesn't validate server TLS certificates
Date: Wed, 07 Mar 2012 10:56:30 -0500
[Message part 1 (text/plain, inline)]
Package: ssmtp
Version: 2.64-5
Severity: wishlist
Tags: patch

The current versions of sSMTP doesn't attempt to validate the server
certificate when using TLS.  Without this, users authenticating over
encrypted connections might unknowingly be sending their
authentication information to a man in the middle.

The attached patch allows the user to configure a set of trusted
authorities which can be used to validate the server (`TLS_CA_File`
and `TLS_CA_Dir`).  If neither configuration option is given, the
current behavious (no validation) is preserved.

The attached patch should be applied after my patch for bug #662959
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=662959).

Trevor

-- 
This email may be signed or encrypted with GnuPG (http://www.gnupg.org).
For more information, see http://en.wikipedia.org/wiki/Pretty_Good_Privacy
[0003-Validate-the-server-certificate-when-using-TLS.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) security. Request was from Laurent Bigonville <bigon@debian.org> to control@bugs.debian.org. (Fri, 14 Sep 2012 01:15:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Anibal Monsalve Salazar <anibal@debian.org>:
Bug#662960; Package ssmtp. (Fri, 28 Sep 2012 10:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Juraj Variny <rini17@gmail.com>:
Extra info received and forwarded to list. Copy sent to Anibal Monsalve Salazar <anibal@debian.org>. (Fri, 28 Sep 2012 10:54:03 GMT) Full text and rfc822 format available.

Message #12 received at 662960@bugs.debian.org (full text, mbox):

From: Juraj Variny <rini17@gmail.com>
To: 662960@bugs.debian.org
Subject: Always validate server cert
Date: Fri, 28 Sep 2012 12:52:14 +0200
[Message part 1 (text/plain, inline)]
Hi, I have tried to use this patch in situation where ssmtp client is not 
authenticating,  but I still want to have proper TLS connection to smtp 
server. Found out the server SSL cert is not validated at all in this case. It 
would be worthwhile addition.
[Message part 2 (text/html, inline)]

Changed Bug title to 'ssmtp doesn't validate server TLS certificates' from 'ssmpt doesn't validate server TLS certificates' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 10 Oct 2012 12:15:04 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 21:12:26 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.