-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: crypto/tls: add Config.AdditionalServerNames #61483
Comments
This allows multiple ServerName entries to be valid by |
A new field for additional server names is most reasonable, to not require changes to existing implementations by people using the
|
Mail servers like Google offers for your domain name don't do this, and this is why multiple server names are required in the TLS client.
It is not possible for those google domains to return a server name of ispapp.co The Microsoft domain |
Realize that does mean that all Google hosted email depends on the DNS MX record, meaning the cleartext DNS record can be modified in transit if you have access to a router there and the mail will be seemingly delivered to |
CC @golang/security |
I'm not sure why you'd need a multiple servernames, or what that would even mean? The mail protocol is higher level than individual TLS connections: you look at the MX records, choose one result, and resolve the address for that and make a connection. You don't connect to a single server expecting it to answer to all names listed in the MX records for a domain. |
The server chosen to connect to is That server returns |
Here's how Microsoft allows you to configure that with https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/office-365-notice |
When making a SMTP connection to |
As @seankhliao said, you're supposed to figure out what name you're connecting to before you start the TLS connection, either through the STARTTLS protocol or by selecting a specific MX record. This can be implemented in the application, I don't think we should add support for it in crypto/tls. (Also, note that you seem to have bigger problems, since the error message says "certificate is not valid for any names".) |
That's not true. Gmail provided by Google Workspaces uses the TLS certificate of the host you are connecting to The truth here is that Google and Microsoft are doing different things as email providers for different domains. There's no way to figure out what name you're connecting to before you start the TLS connection. The only possibility is to provide the list of valid names or fail and connect multiple times. It makes more sense to have a list of names than to open multiple connections. |
@FiloSottile you should understand what I say, it will help you to learn the reasons reconnecting again and again cause location to be relevant. If I am here, on Earth... I need to do DNS lookups from each continent at least to ensure that these DNS records are valid anytime that the TLS certificate isn't that of the domain that the email is being sent to. That's a reality with large companies hosting email for other domains. |
tls.Config.ServerName
should be[]string
instead ofstring
.https://cs.opensource.google/go/go/+/refs/tags/go1.20.6:src/crypto/tls/common.go;l=521
Some SMTP servers allow you to provide a unique domain TLS key and use their domain name instead of you creating a subdomain.
For example, look up the domain
yourpc.ie
:Read that there are two MX servers, the first being yourpc-ie.mail.protection.outlook.com.
If you connect to yourpc-ie.mail.protection.outlook.com with this TLS config:
This error is returned,
x509: certificate is not valid for any names, but wanted to match spamfilter.yourpc.ie
.The text was updated successfully, but these errors were encountered: