Add $ssl_verify_host to allow skipping host name validation

diff --git a/ChangeLog b/ChangeLog
index d86c9571cb75588397f82103a844af99c82d8f50..d4bd9548a9b0267cfafbaa2d626b56179c7ede91 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
-2009-01-10 21:43 -0800  Brendan Cully  <brendan@kublai.com>  (aa069968e4d5)
+2009-01-10 22:09 -0800  Brendan Cully  <brendan@kublai.com>  (db3a61fcde35)
+
+       * imap/util.c: Assume INBOX for ""/NULL in imap_mxcmp
+
+       * imap/util.c: Use known connection delimiter in imap_expand_path
 
        * imap/util.c: Guard against NULL pointers in imap_mxcmp
 

diff --git a/UPDATING b/UPDATING
index eb302992fb1eb1edb87fa90912427467b3e3d7cc..a8f62e0e154eae5f599d1b033ca015eaf04290ac 100644 (file)
--- a/UPDATING
+++ b/UPDATING
@@ -4,6 +4,10 @@ mutt. Please read this file carefully when upgrading your installation.
 The keys used are:
   !: modified feature, -: deleted feature, +: new feature
 
+hg tip:
+  + $ssl_verify_hostname controls whether mutt will accept certificates whose
+    host names do not match the host name in the folder URL.
+
 1.5.19 (2009-01-05):
 
   + support for SSL certificate chains

diff --git a/init.h b/init.h
index f9c5bba72fa32a135bf6f26f2e9ea20d4d75c197..d4834ca1db19fd18d9d27698e7904956d137c423 100644 (file)
--- a/init.h
+++ b/init.h
@@ -2145,6 +2145,14 @@ struct option_t MuttVars[] = {
   ** advertising the capability. When \fIunset\fP, mutt will not attempt to
   ** use \fCSTARTTLS\fP regardless of the server's capabilities.
   */
+  { "ssl_verify_host", DT_BOOL, R_NONE, OPTSSLVERIFYHOST, M_YES },
+  /*
+  ** .pp
+  ** If \fIset\fP (the default), mutt will not automatically accept a server 
+  ** certificate whose host name does not match the host used in your folder
+  ** URL. You should only unset this for particular known hosts, using
+  ** the \fC$<account-hook>\fP function.
+  */
   { "certificate_file",        DT_PATH, R_NONE, UL &SslCertFile, UL "~/.mutt_certificates" },
   /*
   ** .pp

diff --git a/mutt.h b/mutt.h
index 94a7d4f57f6d3e00bcaf23ffd3af91c0ff527a9e..fbacb0a987cf121a0ea58b29831394ea1924013e 100644 (file)
--- a/mutt.h
+++ b/mutt.h
@@ -370,6 +370,7 @@ enum
   OPTSSLV3,
   OPTTLSV1,
   OPTSSLFORCETLS,
+  OPTSSLVERIFYHOST,
 #endif /* defined(USE_SSL) */
   OPTIMPLICITAUTOVIEW,
   OPTINCLUDEONLYFIRST,

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 7de574eac60fb6902ab03e364d2484b8332ac8dc..9242532e571f49585c00f469e4da395e3812ff70 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -749,13 +749,16 @@ static int ssl_check_preauth (X509 *cert, CONNECTION *conn)
   }
 
   buf[0] = 0;
-  if (!check_host (cert, conn->account.host, buf, sizeof (buf)))
+  if (option (OPTSSLVERIFYHOST) != M_NO)
   {
-    mutt_error (_("Certificate host check failed: %s"), buf);
-    mutt_sleep (2);
-    return -1;
+    if (!check_host (cert, conn->account.host, buf, sizeof (buf)))
+    {
+      mutt_error (_("Certificate host check failed: %s"), buf);
+      mutt_sleep (2);
+      return -1;
+    }
+    dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n"));
   }
-  dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n"));
 
   if (check_certificate_by_signer (cert))
   {

diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c
index d1898419bac2fbf9fb464d34dbf2b036dafbb92f..48f03c3ed48744afe9028809ac85abfb1fd58fc1 100644 (file)
--- a/mutt_ssl_gnutls.c
+++ b/mutt_ssl_gnutls.c
@@ -585,7 +585,8 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata,
   if (!idx)
   {
     if (!gnutls_x509_crt_check_hostname (cert, hostname) &&
-        !tls_check_stored_hostname (certdata, hostname))
+        !tls_check_stored_hostname (certdata, hostname) &&
+        option (OPTSSLVERIFYHOST) != M_NO)
       certerr_hostname = 1;
   }