From: Brendan Cully <brendan@kublai.com>
Date: Wed, 10 Jun 2009 05:09:20 +0000 (-0700)
Subject: Improve host checking for SSL with intermediate certificates.
X-Git-Tag: neomutt-20160307~591
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0776024520ba51daeacf797dbef847fb83c5615e;p=neomutt

Improve host checking for SSL with intermediate certificates.
---

diff --git a/ChangeLog b/ChangeLog
index d0f3b4922..bf61774d6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,9 @@
-2009-06-09 21:17 -0700  Brendan Cully  <brendan@kublai.com>  (0fb94d6eee38)
+2009-06-09 22:03 -0700  Brendan Cully  <brendan@kublai.com>  (9dcb7288039d)
+
+	* mutt_ssl.c: Whitespace.
+
+	* imap/imap.c: Skip comparison against current mailbox for idle
+	connections. Closes #3216.
 
 	* imap/util.c: Revert accidental change
 
diff --git a/mutt_ssl.c b/mutt_ssl.c
index 92fc4407e..cb1b0cc43 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -740,7 +740,8 @@ static int ssl_cache_trusted_cert (X509 *c)
 }
 
 /* check whether cert is preauthorized. If host is not null, verify that
- * it matches the certificate */
+ * it matches the certificate.
+ * Return > 0: authorized, < 0: problems, 0: unknown validity */
 static int ssl_check_preauth (X509 *cert, const char* host)
 {
   char buf[SHORT_STRING];
@@ -791,7 +792,9 @@ static int ssl_check_certificate (CONNECTION *conn, sslsockdata *data)
 
   chain = SSL_get_peer_cert_chain (data->ssl);
   chain_len = sk_X509_num (chain);
-  if (!chain || (chain_len <= 1))
+  /* negative preauthrc means the certificate won't be accepted without
+   * manual override. */
+  if (preauthrc < 0 || !chain || (chain_len <= 1))
     return interactive_check_cert (data->cert, 0, 0);
 
   /* check the chain from root to peer. */