proposal: crypto/tls: add Config.AdditionalServerNames

[andrewhodel]

tls.Config.ServerName should be []string instead of string.

https://cs.opensource.google/go/go/+/refs/tags/go1.20.6:src/crypto/tls/common.go;l=521

Some SMTP servers allow you to provide a unique domain TLS key and use their domain name instead of you creating a subdomain.

For example, look up the domain yourpc.ie:

dig yourpc.ie MX 

; <<>> DiG 9.10.6 <<>> yourpc.ie MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60768
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;yourpc.ie.			IN	MX

;; ANSWER SECTION:
yourpc.ie.		1800	IN	MX	30 yourpc-ie.mail.protection.outlook.com.
yourpc.ie.		1800	IN	MX	1 spamfilter.yourpc.ie.

;; Query time: 204 msec
;; SERVER: 2001:1998:f00:1::1#53(2001:1998:f00:1::1)
;; WHEN: Thu Jul 20 10:47:01 CDT 2023
;; MSG SIZE  rcvd: 118

Read that there are two MX servers, the first being yourpc-ie.mail.protection.outlook.com.

If you connect to yourpc-ie.mail.protection.outlook.com with this TLS config:

tlsconfig = &tls.Config {
      ServerName: "yourpc-ie.mail.protection.outlook.com",
      ClientAuth: tls.RequireAndVerifyClientCert,
}

This error is returned, x509: certificate is not valid for any names, but wanted to match spamfilter.yourpc.ie.

[andrewhodel]

This allows multiple ServerName entries to be valid by tls.Config{}.

[andrewhodel]

A new field for additional server names is most reasonable, to not require changes to existing implementations by people using the tls module.

tls.config.AdditionalServerNames []string

[andrewhodel]

Mail servers like Google offers for your domain name don't do this, and this is why multiple server names are required in the TLS client.

ispapp.co.		300	IN	MX	5 alt2.aspmx.l.google.com.
ispapp.co.		300	IN	MX	10 aspmx2.googlemail.com.
ispapp.co.		300	IN	MX	10 aspmx3.googlemail.com.
ispapp.co.		300	IN	MX	1 aspmx.l.google.com.
ispapp.co.		300	IN	MX	5 alt1.aspmx.l.google.com.

It is not possible for those google domains to return a server name of ispapp.co

The Microsoft domain yourpc-ie.mail.protection.outlook.com does because yourpc-ie.mail is unique in it.

[andrewhodel]

Realize that does mean that all Google hosted email depends on the DNS MX record, meaning the cleartext DNS record can be modified in transit if you have access to a router there and the mail will be seemingly delivered to any mail server.

[ianlancetaylor]

CC @golang/security

[seankhliao]

I'm not sure why you'd need a multiple servernames, or what that would even mean?

The mail protocol is higher level than individual TLS connections: you look at the MX records, choose one result, and resolve the address for that and make a connection. You don't connect to a single server expecting it to answer to all names listed in the MX records for a domain.

[andrewhodel]

@seankhliao

The server chosen to connect to is yourpc-ie.mail.protection.outlook.com.

That server returns ServerName spamfilter.yourpc.ie as you can read in the error message: x509: certificate is not valid for any names, but wanted to match spamfilter.yourpc.ie.

[andrewhodel]

Here's how Microsoft allows you to configure that with *******.mail.protection.outlook.com:

https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/office-365-notice

[andrewhodel]

When making a SMTP connection to yourpc-ie.mail.protection.outlook.com and executing the STARTTLS command after the required initialization SMTP commands in the order defined by RFC 5321, the ServerName returned is not that of the host connected to but spamfilter.yourpc.ie.

@seankhliao