Change OpenSSL to use SHA-256 for cert comparison. (closes #3924)

Note the GnuTLS code compares the certs directly to check if they are
in the certfile.

diff --git a/mutt_ssl.c b/mutt_ssl.c
index 98cb82c0b3d9965072c45056167200022c33b10b..86c8fb50a51e04738aee039fb95217b29b34d7dc 100644 (file)
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -771,7 +771,7 @@ static int compare_certificates (X509 *cert, X509 *peercert,
       X509_issuer_name_cmp (cert, peercert) != 0)
     return -1;
 
-  if (!X509_digest (cert, EVP_sha1(), md, &mdlen) || peermdlen != mdlen)
+  if (!X509_digest (cert, EVP_sha256(), md, &mdlen) || peermdlen != mdlen)
     return -1;
 
   if (memcmp(peermd, md, mdlen) != 0)
@@ -787,7 +787,7 @@ static int check_certificate_cache (X509 *peercert)
   X509 *cert;
   int i;
 
-  if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen)
+  if (!X509_digest (peercert, EVP_sha256(), peermd, &peermdlen)
       || !SslSessionCerts)
   {
     return 0;
@@ -848,7 +848,7 @@ static int check_certificate_file (X509 *peercert)
   if ((fp = fopen (SslCertFile, "rt")) == NULL)
     return 0;
 
-  if (!X509_digest (peercert, EVP_sha1(), peermd, &peermdlen))
+  if (!X509_digest (peercert, EVP_sha256(), peermd, &peermdlen))
   {
     safe_fclose (&fp);
     return 0;
@@ -1083,7 +1083,7 @@ static int ssl_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
   {
     if (skip_mode && preverify_ok && (pos == last_pos) && last_cert)
     {
-      if (X509_digest (last_cert, EVP_sha1(), last_cert_md, &last_cert_mdlen) &&
+      if (X509_digest (last_cert, EVP_sha256(), last_cert_md, &last_cert_mdlen) &&
           !compare_certificates (cert, last_cert, last_cert_md, last_cert_mdlen))
       {
         dprint (2, (debugfile,