Opened 6 years ago

#8592 new Bug report

Common Name in SSL/TLS certificates is not checked against the server name connected to

Reported by: Holger Böhnke Owned by:
Priority: normal Component: FileZilla Client
Keywords: checkt tls common name Cc:
Component version: Operating system type:
Operating system version:

Description

When connecting to a site using FTPS (SSL/TLS) the common name of the certificate is not checked against the server name. Although a warning is displayed that the certificate is untrusted it is not explicitly stated that the server named mismatches the CN.

This could be easily overlooked by unexperienced users.

Steps to reproduce:

In servermanager:
config server A: serverA.domain.com (explicit TLS)

Setup an FTP Server serverA.domain.com presenting a certificate with a common name of "someotherserver.domain.com"

Connect to server A, a warning is displayed that the certificate is not trusted. The fact that "serverA.domain.com" and "someotherserver.domain.com" do not match is not explicitly stated.

As this is a strong indication of malicious activity, the user should be warned about it in an urgent manner.

Change History (0)

Note: See TracTickets for help on using tickets.