Bug in DreamHosts's SSL certificates for email exp


#1

[as reported in on Get Satisfaction:
http://getsatisfaction.com/dreamhost/topics/bug_in_dreamhostss_ssl_certificates_for_email_exposed_in_thunderbird_2_0_0_23]

Hi DreamHost Support Folks:

This is Roland from Thunderbird support. Thunderbird is an email client from Mozilla Messaging.

Mozilla Messaging just released Thunderbird 2.0.0.23 which exposes a “bug” (see DETAILS below) in DreamHost’s SSL certificates. This “bug” affects all DreamHost customers who use email on DreamHost and who use Thunderbird 2.0.0.23

Not sure if you can fix this “bug”, so just filing this problem here as “heads up”. Will also file it via your normal support channels. I’m also going to file a reply to this problem with a link to this topic at our Get Satisfaction which is:
http://getsatisfaction.com/mozilla_messaging

…Roland “Technical Support Lead”, Mozilla Messaging
roland@mozillamessaging.com
+1 604 729 7924

DETAILS from https://bugzilla.mozilla.org/show_bug.cgi?id=511921

Thunderbird prior to 2.0.0.23 still contained the bug that allowed * in an SSL cert to match more than one atom of a hostname (which actually violates the spec).

Thunderbird 2.0.0.23 changed the behavior so that a domain name with more than one atom in the spot where the * is in the cert name properly rejects the cert as an invalid hostname. Dreamhost has mailservers named with a pattern like:
a1.postal.mail.dreamhost.com.

Their cert says *.mail.dreamhost.com.


…Roland “Technical Support Lead, Mozilla Messaging” Tanglao
roland@rolandtanglao.com


#2

Here are some workarounds:

  1. In Thunderbird Settings, Edit your IMAP, POP and SMTP servers to use your server’s name rather than dreamhost’s name
    [FROM: http://wiki.dreamhost.com/Certificate_Domain_Mismatch_Error ]
    i.e. To find the server name, go to the Dreamhost Control Panel and click on “Account Status” in the upper right corner. If it shows you your email server as “spunky”, then you should use “spunky.mail.dreamhost.com” rather than “*.mail.dreamhost.com.”

  2. install the Cert Viewer Plus addon https://addons.mozilla.org/en-US/firefox/addon/1964
    With that installed, a user can override the cert and connect and retrieve mail. Unfortunately, it puts back the old-style dialog where it only overrides a hostname mismatch for that session.

  3. Upgrade to Thunderbird 3 Beta 3 http://www.mozillamessaging.com/en-US/thunderbird/early_releases/downloads/ (as this is beta software, please do a backup first!)

  4. setenv NSS_USE_SHEXP_IN_CERT_NAME 1 before starting Thunderbird (not for non technical users obviously :slight_smile: !)
    to restore old behaviour and once old behaviour is restored, Remember Mismatched Domains so it doesn’t ask you every time:
    http://www.andrewlucking.com/archives/2008/03/download-rmd-from-amo/#comments


…Roland “Technical Support Lead, Mozilla Messaging” Tanglao
roland@rolandtanglao.com


#3

[quote]Thunderbird 2.0.0.23 changed the behavior so that a domain name with more than one atom in the spot where the * is in the cert name properly rejects the cert as an invalid hostname. Dreamhost has mailservers named with a pattern like:
a1.postal.mail.dreamhost.com.

Their cert says *.mail.dreamhost.com. [/quote]
I wondered what changed when it just auto-updated for me.

Really the only problem for DreamHost is with informing the customers of their hostname to use for this. For example my Web Panel lists smaug as the email server but it actually still is/was looney. So if I use smaug.mail.dreamhost.com it doesn’t work (there is no smaug.mail.dreamhost.com) but looney.mail.dreamhost.com does.

So to determine the hostname to use, I suggest looking up mail.[your domain].com then lookup the IP address you get back, eg Windows:

[code]> nslookup mail.example.com

Non-authoritative answer:
Name: mail.example.com
Address: 208.113.200.13

[quote]nslookup 208.113.200.13
[/quote]

Name: looney.mail.dreamhost.com
Address: 208.113.200.13[/code]Now I don’t know if this applies to all clusters at DreamHost or not.

Customer since 2000 :cool: openvein.org