Re: [Mutt] #3087: No server hostname validation in SSL certificate

To: mutt0708@xxxxxxxxxxxx, pdmef@xxxxxxx
Subject: Re: [Mutt] #3087: No server hostname validation in SSL certificate
From: Mutt <fleas@xxxxxxxx>
Date: Mon, 11 Aug 2008 16:05:34 -0000
Cc: mutt-dev@xxxxxxxx
In-reply-to: <041.5f29cc9ccef2bf90b608bd24734b6365@xxxxxxxx>
List-post: <mailto:mutt-dev@mutt.org>
List-unsubscribe: send mail to majordomo@mutt.org, body only "unsubscribe mutt-dev"
Mail-followup-to: fleas@xxxxxxxx
References: <041.5f29cc9ccef2bf90b608bd24734b6365@xxxxxxxx>
Reply-to: fleas@xxxxxxxx
Sender: owner-mutt-dev@xxxxxxxx

#3087: No server hostname validation in SSL certificate processing

Changes (by pdmef):

  * priority:  critical => major
  * status:  closed => reopened
  * resolution:  fixed =>

Comment:

 The hostname check added in [934a802dff7f] is likely incomplete.

 First, http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html
 says `X509_NAME_get_text_by_NID()` is a legacy function with limitations.
 Second, it seems that simply matching full hostnames is not enough as
 other verification implementations (including GnuTLS) seem to support
 pattern and domain name matching as well as extracting all hostnames
 provided in the certificate.

 The hostname verification used in msmtp together with OpenSSL could be a
 candiate implementation for mutt as it seems to check more than the first
 CN and does support pattern matching.

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3087#comment:4>

References:
- [Mutt] #3087: No server hostname validation in SSL certificate processing
  - From: Mutt

Prev by Date: Re: [Mutt] #3101: backtics or backticks?
Next by Date: qdbm successor
Previous by thread: Re: [Mutt] #3087: No server hostname validation in SSL certificate
Next by thread: Re: [Mutt] #3087: No server hostname validation in SSL certificate
Index(es):
- Date
- Thread