[Bug 1384232] Re: Certificate hostname verification fix

[Robie Basak]

I just looked into this, prompted by Chuck Peters on the ubuntu-server
list.

It seems to me that this is a security-related feature made upstream in
a newer release of exim4. To use it, every individual sysadmin would
need to manually configure the tls_verify_cert_hostnames setting to a
list of hostnames to use for stricter certificate checking when
connecting to those particular hosts. Is this understanding accurate?

Chuck requested a backport to Trusty on the list. I think feature would
have limited value in an update automatically recommended to all users
(such as an SRU or security update), since most users would not be aware
of the feature in order to enable it. And the feature is of limited use
on the wider Internet anyway. We'd only be enabling the feature for a
very small proportion of "opt-in" users because of the configuration
requirement, for whom I suggest that the backports repository or moving
to a newer (yet to be released) Ubuntu release would be more suitable.
So I'm in favour of merging 4.86 into the development release when it is
available, but am not convinced that this is suitable in an update that
would be automatically recommended to all users such as through trusty-
updates.

I welcome discussion on this though. I'm particularly interested in the
security team's opinion.

** Summary changed:

- Certificate hostname verification fix
+ Cannot specify server certificate hostname verification whitelist

** Changed in: exim4 (Ubuntu)
       Status: Confirmed => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to exim4 in Ubuntu.
https://bugs.launchpad.net/bugs/1384232

Title:
  Cannot specify server certificate hostname verification whitelist

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1384232/+subscriptions