Brightmail Gateway does not accept Subject Alternative Name (SAN) certificates when negotiating TLS connections
Last Updated October 15, 2012
You are seeing TLS communication failing with some domains when the hostname you are connecting to does not match host in the certificate Subject field.
Symptoms Failure to establish TLS encrypted communication with domains that have valid TLS certificates.
2010 Apr 1 15:40:09 CEST (info) ecelerity:  ec_ssl_ctx 0x95baffc8 tls_verify_hostname failed: mx.domain.com not in (mx2.domain.com,#sms#00000002)
The TLS implementation in v8.0.x of the Brightmail Gateway is very strict in its certificate validation and compares the host information defined in the certificate Subject field with the hostname to which it is connecting. If they do not match, certificate validation fails and the TLS negotiation it terminated. Some certificates list alternate hostnames in the certificate but this Brightmail Gateway release does not honor the optional Subject Alternative Name field in the TLS certificate.
This issue has been resolved in version 9.0.2 of the Brightmail Gateway software.
Customers are encouraged to update to the latest software release at their earliest convenience.
Imported Document ID: TECH131452
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe