[Mutt] #3087: No server hostname validation in SSL certificate processing
#3087: No server hostname validation in SSL certificate processing
The SSL X509 certificate handling in mutt does not check the CN= against
the FQDN that the user entered, and as such there is no indication that
the certificate that mutt receives from a SSL-based server actually
belongs to the server in question.
This could allow a malicious person to redirect (via DNS manipulation or
otherwise) a user to a different server than intended and, using a valid
server certificate from any host, permit the connection to succeed
normally with no indication to the user that the certificate is invalid
for the specified server.
I am attaching a patch against mutt 1.5.16 that looks like it will address
the problem. The behavior the patch implements mimics the behavior in
Mozilla-based e-mail clients.
Ticket URL: <http://dev.mutt.org/trac/ticket/3087>