Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums

No server hostname validation in SSL certificate processing (email reports)

Thread starter GalaFructose
Start date Oct 28, 2023

GalaFructose

Cadet

Oct 28, 2023

The SSL X509 certificate handling in TrueNAS does not check the CN= against the FQDN that the user configured, and as such there is no indication that the certificate that TrueNAS receives from a SSL-based server actually belongs to the server in question, when sending out email reports.

This could allow a malicious person to redirect (via DNS manipulation or otherwise) a user to a different server than intended and, using a valid server certificate from any host, permit the connection to succeed normally with no indication to the user that the certificate is invalid for the specified server.

Ideally, TrueNAS would do this check, but also have a checkbox to ignore such invalid hostname/SSL errors.

You must log in or register to reply here.

Similar threads

Locked

SSL Certificate not Listed in System > General > Certificate:

Replies: 8

Views: 6K

Jun 17, 2017

Mugiwara

i can't access my server with the hostname after updating the certificate

Replies: 2

Views: 2K

Jan 5, 2023

c77dk

Nextclound under Truenas Scale, synce Contacs, truenas_default SSL certificate, not working with Iphone IOS

Replies: 2

Views: 1K

Feb 14, 2024

nestor_78

Truecommand - SSL Error when using an internal CA cert and adding a node

Replies: 0

Views: 2K

May 21, 2023

onthax

Invalid Certificate

Replies: 2

Views: 5K

Jun 6, 2020

afc_rich

Facebook Twitter Reddit Pinterest Tumblr WhatsApp Email Link

Forum is Read Only.

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Top