SSL certificate check might be weak

Mainboarder · April 6, 2014, 12:45pm

Hello,

I installed em Client and connected with an own server. This has a ssl certificate from startssl for the second level domain (sld.tld) and www.sld.tld

In the settings I inserted mail0x.sld.tld for smtp and imap and let em Client just communicate encrypted with the server.

I expected this would not work because the ssl certificate does not have mail0x.sld.tld in its DSN Name, but I do not get any error messages.

While not checking whether the certificate fits to the server a man in the middle attack might be possible.

The ip for sld.tld, www.sld.tld and mail0x.sld.tld is the same. But this is not how ssl checks should work.

I hope I have something missed because this would be a really problematic bug.

Paul_Technical_Suppo · April 7, 2014, 2:14pm

Hi, I’ve consulted this with the developers and we’re letting our security experts investigate this.
I’m sorry if this is causing any issues for you, we’ll see if this is an actual issue and we’ll release a fix if it is.

Thank you for pointing this out,
Paul.

Mainboarder · April 7, 2014, 2:17pm

ok, thank you so far!

Paul_Technical_Suppo · April 7, 2014, 3:07pm

no problem, thank you.

Paul.