| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <48DF22D0-851E-4F61-88F4-82CA4DEF43E7@sabahattin-gucukoglu.com> Date: Sun, 31 Oct 2010 04:47:43 +0000 From: Sabahattin Gucukoglu <mail@...ahattin-gucukoglu.com> To: full-disclosure@...ts.grok.org.uk Subject: OS X Mail.app Insecure TLS Usage With SMTPS? I'm getting a bit panicky here. I just upgraded to a CA-issued certificate. They require an intermediate CA not in OS roots. I installed it on all my services, but my SMTP proxy only advertises the primary (server) certificate. I noticed this when verifying several services a short while later, but not, I suddenly realised, without having successfully sent some mail first through that same server and proxy. I checked Keychain access, nothing. Tried to find a way to clear any kind of state or cache, nothing. I looked at my old certificate, and notice that I'd never have seen this before, since I would have readily imported the CA key when installing it. Now, could somebody please see if Mail.app will connect to custom port n of choice, SSL enabled, running Direct SSL, with "Password" (i.e., plain) authentication, and not bat an eyelid when the cert is invalid because it's unverified at the first hop? Extra points for testing various versions (I'm on 10.6.4 latest), or for seeing if completely invalidating the cert would bother it either (at least one of my other clients doesn't even *try*, but it's not an important one) ... Thank you! Cheers, Sabahattin _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists