Re: [Mutt] #3087: No server hostname validation in SSL certificate
#3087: No server hostname validation in SSL certificate processing
Changes (by pdmef):
* priority: critical => major
* status: closed => reopened
* resolution: fixed =>
Comment:
The hostname check added in [934a802dff7f] is likely incomplete.
First, http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html
says `X509_NAME_get_text_by_NID()` is a legacy function with limitations.
Second, it seems that simply matching full hostnames is not enough as
other verification implementations (including GnuTLS) seem to support
pattern and domain name matching as well as extracting all hostnames
provided in the certificate.
The hostname verification used in msmtp together with OpenSSL could be a
candiate implementation for mutt as it seems to check more than the first
CN and does support pattern matching.
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3087#comment:4>