Set customize_hostname_check for Swoosh.Adapters.SMTP #861

Open
norm wants to merge 1 commit from norm/akkoma:smtp-defaults-fix into develop
Contributor

This should hopefully fix issues with connecting to SMTP servers
with wildcard TLS certificates.

Taken from https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl

Fixes #660

This should hopefully fix issues with connecting to SMTP servers with wildcard TLS certificates. Taken from https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl Fixes https://akkoma.dev/AkkomaGang/akkoma/issues/660
norm added 1 commit 2024-12-17 23:35:26 +00:00
Set customize_hostname_check for Swoosh.Adapters.SMTP
Some checks are pending
ci/woodpecker/pr/build-amd64 Pipeline is pending approval
ci/woodpecker/pr/build-arm64 Pipeline is pending approval
ci/woodpecker/pr/docs Pipeline is pending approval
ci/woodpecker/pr/lint Pipeline is pending approval
ci/woodpecker/pr/test Pipeline is pending approval
615c52cdde
This should hopefully fix issues with connecting to SMTP servers
with wildcard TLS certificates.

Taken from https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl

Fixes #660

hm, i wonder, does this break non-ssl'd smtp connections? i doubt it but worth testing if we can

hm, i wonder, does this break _non_-ssl'd smtp connections? i doubt it but worth testing if we can
Member

It cannot ever break non-SSL connections since common_tls_opts to which the new argument is added, are never applied to the final socket options if ssl is set to false *(a few lines below the shown context). Otherwise it would already break with the existing defaults.

However, when i added the defaults comments in relevant threads suggested setting server_name_indication would already fix wildcard certificates; evidently this isn't the case here at least and tbh i was never sure why it should fix wildcard certs. Might be good to drop the wildcard comment from śerver_name_indication and just add it to the new setting here instead (but keep the SNI setting; can't hurt to explicitly request the right domain)

It cannot ever break non-SSL connections since `common_tls_opts` to which the new argument is added, are never applied to the final socket options if `ssl` is set to false *(a few lines below the shown context). Otherwise it would already break with the existing defaults. However, when i added the defaults comments in relevant threads suggested setting `server_name_indication` would already fix wildcard certificates; evidently this isn't the case here at least and tbh i was never sure why it should fix wildcard certs. Might be good to drop the wildcard comment from `śerver_name_indication` and just add it to the new setting here instead *(but keep the SNI setting; can't hurt to explicitly request the right domain)*
norm force-pushed smtp-defaults-fix from 615c52cdde to f19d5d1380 2024-12-18 19:37:35 +00:00 Compare
Oneric approved these changes 2024-12-18 19:57:16 +00:00
Some checks are pending
ci/woodpecker/pr/build-amd64 Pipeline is pending approval
ci/woodpecker/pr/build-arm64 Pipeline is pending approval
ci/woodpecker/pr/docs Pipeline is pending approval
ci/woodpecker/pr/lint Pipeline is pending approval
ci/woodpecker/pr/test Pipeline is pending approval
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u smtp-defaults-fix:norm-smtp-defaults-fix
git checkout norm-smtp-defaults-fix
Sign in to join this conversation.
No description provided.