Hi there, Attached is a little patch against upstream to fix the search for a mathing hostname within the X509v3 Subject Alternative Names with a DNS type. Without the fix mutt does not compare the hostname with the good data of subj_alt_name, thus always failling over to the Common Name of the certificate; causing mutt, when the CN is not equal to the hostname, to always warn: Certificate host check failed: certificate owner does not match hostname <hostname> Compiling also gives a warning: mutt_ssl.c: In function âcheck_hostâ: mutt_ssl.c:763: warning: passing argument 1 of âmutt_strlenâ from incompatible pointer type lib.h:193: note: expected âconst char *â but argument is of type âstruct GENERAL_NAME *â The fix consists only in passing to mutt_strlen the same value that is passed to hostname_match thereafter, i.e.: (char *)(subj_alt_name->d.ia5->data). Hope that it will be fixed upstream soon, Julien Moutinho.
diff --git a/mutt_ssl.c b/mutt_ssl.c
index 1a45672..9a5fb37 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -760,7 +760,7 @@ static int check_host (X509 *x509cert, const char
*hostname, char *err, size_t e
subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i);
if (subj_alt_name->type == GEN_DNS)
{
- if (mutt_strlen(subj_alt_name) == subj_alt_name->d.ia5->length &&
+ if (mutt_strlen((char *)(subj_alt_name->d.ia5->data)) ==
subj_alt_name->d.ia5->length &&
(match_found = hostname_match(hostname_ascii,
(char
*)(subj_alt_name->d.ia5->data))))
{
Attachment:
pgp2mx4VTJwip.pgp
Description: PGP signature