Hi there, Attached is a little patch against upstream to fix the search for a mathing hostname within the X509v3 Subject Alternative Names with a DNS type. Without the fix mutt does not compare the hostname with the good data of subj_alt_name, thus always failling over to the Common Name of the certificate; causing mutt, when the CN is not equal to the hostname, to always warn: Certificate host check failed: certificate owner does not match hostname <hostname> Compiling also gives a warning: mutt_ssl.c: In function âcheck_hostâ: mutt_ssl.c:763: warning: passing argument 1 of âmutt_strlenâ from incompatible pointer type lib.h:193: note: expected âconst char *â but argument is of type âstruct GENERAL_NAME *â The fix consists only in passing to mutt_strlen the same value that is passed to hostname_match thereafter, i.e.: (char *)(subj_alt_name->d.ia5->data). Hope that it will be fixed upstream soon, Julien Moutinho.
diff --git a/mutt_ssl.c b/mutt_ssl.c index 1a45672..9a5fb37 100644 --- a/mutt_ssl.c +++ b/mutt_ssl.c @@ -760,7 +760,7 @@ static int check_host (X509 *x509cert, const char *hostname, char *err, size_t e subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i); if (subj_alt_name->type == GEN_DNS) { - if (mutt_strlen(subj_alt_name) == subj_alt_name->d.ia5->length && + if (mutt_strlen((char *)(subj_alt_name->d.ia5->data)) == subj_alt_name->d.ia5->length && (match_found = hostname_match(hostname_ascii, (char *)(subj_alt_name->d.ia5->data)))) {
Attachment:
pgp2mx4VTJwip.pgp
Description: PGP signature