File mutt-1.5.20-bnc537141.dif of Package mutt.4421
--- mutt_ssl.c
+++ mutt_ssl.c 2009-11-25 12:48:35.000000000 +0000
@@ -681,7 +681,8 @@ static int check_host (X509 *x509cert, c
subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i);
if (subj_alt_name->type == GEN_DNS)
{
- if ((match_found = hostname_match(hostname_ascii,
+ if (mutt_strlen(subj_alt_name->d.ia5->data) == subj_alt_name->d.ia5->length &&
+ (match_found = hostname_match(hostname_ascii,
(char *)(subj_alt_name->d.ia5->data))))
{
break;
@@ -711,7 +712,9 @@ static int check_host (X509 *x509cert, c
strfcpy (err, _("cannot get certificate common name"), errlen);
goto out;
}
- match_found = hostname_match(hostname_ascii, buf);
+ if (mutt_strlen(buf) == bufsize - 1) {
+ match_found = hostname_match(hostname_ascii, buf);
+ }
}
if (!match_found)
@@ -745,6 +748,7 @@ static int ssl_cache_trusted_cert (X509
static int ssl_check_preauth (X509 *cert, const char* host)
{
char buf[SHORT_STRING];
+ int trusted = 0;
/* check session cache first */
if (check_certificate_cache (cert))
@@ -753,6 +757,13 @@ static int ssl_check_preauth (X509 *cert
return 1;
}
+ /* automatic check from user's database */
+ if (SslCertFile && check_certificate_by_digest (cert))
+ {
+ dprint (2, (debugfile, "ssl_check_preauth: digest check passed\n"));
+ trusted++;
+ }
+
buf[0] = 0;
if (host && option (OPTSSLVERIFYHOST) != M_NO)
{
@@ -760,24 +771,20 @@ static int ssl_check_preauth (X509 *cert
{
mutt_error (_("Certificate host check failed: %s"), buf);
mutt_sleep (2);
- return -1;
+ if (!trusted) /* don't fail if cert is manually trusted */
+ return -1;
}
dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n"));
}
+ if (trusted) return 1;
+
if (check_certificate_by_signer (cert))
{
dprint (2, (debugfile, "ssl_check_preauth: signer check passed\n"));
return 1;
}
- /* automatic check from user's database */
- if (SslCertFile && check_certificate_by_digest (cert))
- {
- dprint (2, (debugfile, "ssl_check_preauth: digest check passed\n"));
- return 1;
- }
-
return 0;
}
