<<< Date Index >>>     <<< Thread Index >>>

Re: [Mutt] #3087: No server hostname validation in SSL certificate



#3087: No server hostname validation in SSL certificate processing

Changes (by pdmef):

  * priority:  critical => major
  * status:  closed => reopened
  * resolution:  fixed =>

Comment:

 The hostname check added in [934a802dff7f] is likely incomplete.

 First, http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html
 says `X509_NAME_get_text_by_NID()` is a legacy function with limitations.
 Second, it seems that simply matching full hostnames is not enough as
 other verification implementations (including GnuTLS) seem to support
 pattern and domain name matching as well as extracting all hostnames
 provided in the certificate.

 The hostname verification used in msmtp together with OpenSSL could be a
 candiate implementation for mutt as it seems to check more than the first
 CN and does support pattern matching.

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3087#comment:4>