Improve host checking for SSL with intermediate certificates.

diff --git a/ChangeLog b/ChangeLog
index d0f3b4922705961b443b5407acc97225ce50cb03..bf61774d6d19899c7ed51bf8a728d1b8f86811bc 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,9 @@
-2009-06-09 21:17 -0700  Brendan Cully  <brendan@kublai.com>  (0fb94d6eee38)
+2009-06-09 22:03 -0700  Brendan Cully  <brendan@kublai.com>  (9dcb7288039d)
+
+       * mutt_ssl.c: Whitespace.
+
+       * imap/imap.c: Skip comparison against current mailbox for idle
+       connections. Closes #3216.
 
        * imap/util.c: Revert accidental change
 

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 92fc4407ec5d3cad23181a041fb0b0a0e6720506..cb1b0cc43fa03632e988f9d54af0b1b9f014485c 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -740,7 +740,8 @@ static int ssl_cache_trusted_cert (X509 *c)
 }
 
 /* check whether cert is preauthorized. If host is not null, verify that
- * it matches the certificate */
+ * it matches the certificate.
+ * Return > 0: authorized, < 0: problems, 0: unknown validity */
 static int ssl_check_preauth (X509 *cert, const char* host)
 {
   char buf[SHORT_STRING];
@@ -791,7 +792,9 @@ static int ssl_check_certificate (CONNECTION *conn, sslsockdata *data)
 
   chain = SSL_get_peer_cert_chain (data->ssl);
   chain_len = sk_X509_num (chain);
-  if (!chain || (chain_len <= 1))
+  /* negative preauthrc means the certificate won't be accepted without
+   * manual override. */
+  if (preauthrc < 0 || !chain || (chain_len <= 1))
     return interactive_check_cert (data->cert, 0, 0);
 
   /* check the chain from root to peer. */