From 0851a3bbf4667081d47f5d85b6b3a5cb33cbdba6 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 11 Jun 2020 20:21:38 +0100 Subject: TLS: use RFC 6125 rules for certifucate name checks when CNAMES are present. Bug 2594 --- doc/doc-docbook/spec.xfpt | 10 ++++++++-- doc/doc-txt/ChangeLog | 7 ++++++- 2 files changed, 14 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index abd235bae..e3684ba30 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -29242,8 +29242,14 @@ certificate verification to the listed servers. Verification either must or need not succeed respectively. The &%tls_verify_cert_hostnames%& option lists hosts for which additional -checks are made: that the host name (the one in the DNS A record) -is valid for the certificate. +name checks are made on the server certificate. +.new +The match against this list is, as per other Exim usage, the +IP for the host. That is most closely associated with the +name on the DNS A (or AAAA) record for the host. +However, the name that needs to be in the certificate +is the one at the head of any CNAME chain leading to the A record. +.wen The option defaults to always checking. The &(smtp)& transport has two OCSP-related options: diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 6c8349df4..425264191 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -30,6 +30,11 @@ JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once" path, an error occurred on trying to open it. Use the transport's working directory. +JH/06 Bug 2594: Change the name used for certificate name checks in the smtp + transport. Previously it was the name on the DNS A-record; use instead + the head of the CNAME chain leading there (if there is one). This seems + to align better with RFC 6125. + Exim version 4.94 ----------------- @@ -335,7 +340,7 @@ JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default. A single TCP connection by a client will now hold a TLS connection open - for multiple message deliveries, by default. Previoud the default was to + for multiple message deliveries, by default. Previously the default was to not do so. JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by -- cgit v1.2.3