SSL certificate check might be weak


I installed em Client and connected with an own server. This has a ssl certificate from startssl for the second level domain (sld.tld) and www.sld.tld

In the settings I inserted mail0x.sld.tld for smtp and imap and let em Client just communicate encrypted with the server.

I expected this would not work because the ssl certificate does not have mail0x.sld.tld in its DSN Name, but I do not get any error messages.

While not checking whether the certificate fits to the server a man in the middle attack might be possible.

The ip for sld.tld, www.sld.tld and mail0x.sld.tld is the same. But this is not how ssl checks should work.

I hope I have something missed because this would be a really problematic bug.

Hi, I’ve consulted this with the developers and we’re letting our security experts investigate this.
I’m sorry if this is causing any issues for you, we’ll see if this is an actual issue and we’ll release a fix if it is.

Thank you for pointing this out,

ok, thank you so far!

no problem, thank you.