!: modified feature, -: deleted feature, +: new feature
hg tip:
+ + $ssl_verify_dates controls whether mutt checks the validity period of
+ SSL certificates
+ $ssl_verify_hostname controls whether mutt will accept certificates whose
host names do not match the host name in the folder URL.
** advertising the capability. When \fIunset\fP, mutt will not attempt to
** use \fCSTARTTLS\fP regardless of the server's capabilities.
*/
+ { "ssl_verify_dates", DT_BOOL, R_NONE, OPTSSLVERIFYDATES, M_YES },
+ /*
+ ** .pp
+ ** If \fIset\fP (the default), mutt will not automatically accept a server
+ ** certificate that is either not yet valid or already expired. You should
+ ** only unset this for particular known hosts, using the
+ ** \fC$<account-hook>\fP function.
+ */
{ "ssl_verify_host", DT_BOOL, R_NONE, OPTSSLVERIFYHOST, M_YES },
/*
** .pp
FILE *fp;
/* expiration check */
- if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0)
+ if (option (OPTSSLVERIFYDATES) != M_NO)
{
- dprint (2, (debugfile, "Server certificate is not yet valid\n"));
- mutt_error (_("Server certificate is not yet valid"));
- mutt_sleep (2);
- return 0;
- }
- if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0)
- {
- dprint (2, (debugfile, "Server certificate has expired"));
- mutt_error (_("Server certificate has expired"));
- mutt_sleep (2);
- return 0;
+ if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0)
+ {
+ dprint (2, (debugfile, "Server certificate is not yet valid\n"));
+ mutt_error (_("Server certificate is not yet valid"));
+ mutt_sleep (2);
+ return 0;
+ }
+ if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0)
+ {
+ dprint (2, (debugfile, "Server certificate has expired"));
+ mutt_error (_("Server certificate has expired"));
+ mutt_sleep (2);
+ return 0;
+ }
}
if ((fp = fopen (SslCertFile, "rt")) == NULL)
_("SSL Certificate check (certificate %d of %d in chain)"),
len - idx, len);
menu->title = title;
- if (SslCertFile && X509_cmp_current_time (X509_get_notAfter (cert)) >= 0
- && X509_cmp_current_time (X509_get_notBefore (cert)) < 0)
+ if (SslCertFile
+ && (option (OPTSSLVERIFYDATES) == M_NO
+ || (X509_cmp_current_time (X509_get_notAfter (cert)) >= 0
+ && X509_cmp_current_time (X509_get_notBefore (cert)) < 0)))
{
menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always");
menu->keys = _("roa");
gnutls_x509_crt_deinit (cert);
return -1;
}
-
- if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL))
- certerr_expired = 1;
- if (gnutls_x509_crt_get_activation_time (cert) > time(NULL))
- certerr_notyetvalid = 1;
+
+ if (option (OPTSSLVERIFYDATES) != M_NO)
+ {
+ if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL))
+ certerr_expired = 1;
+ if (gnutls_x509_crt_get_activation_time (cert) > time(NULL))
+ certerr_notyetvalid = 1;
+ }
if (!idx)
{
projects / mutt / commitdiff