From 0776024520ba51daeacf797dbef847fb83c5615e Mon Sep 17 00:00:00 2001
From: Brendan Cully <brendan@kublai.com>
Date: Tue, 9 Jun 2009 22:09:20 -0700
Subject: [PATCH] Improve host checking for SSL with intermediate certificates.

---
 ChangeLog  | 7 ++++++-
 mutt_ssl.c | 7 +++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d0f3b4922..bf61774d6 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,9 @@
-2009-06-09 21:17 -0700  Brendan Cully  <brendan@kublai.com>  (0fb94d6eee38)
+2009-06-09 22:03 -0700  Brendan Cully  <brendan@kublai.com>  (9dcb7288039d)
+
+	* mutt_ssl.c: Whitespace.
+
+	* imap/imap.c: Skip comparison against current mailbox for idle
+	connections. Closes #3216.
 
 	* imap/util.c: Revert accidental change
 
diff --git a/mutt_ssl.c b/mutt_ssl.c
index 92fc4407e..cb1b0cc43 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -740,7 +740,8 @@ static int ssl_cache_trusted_cert (X509 *c)
 }
 
 /* check whether cert is preauthorized. If host is not null, verify that
- * it matches the certificate */
+ * it matches the certificate.
+ * Return > 0: authorized, < 0: problems, 0: unknown validity */
 static int ssl_check_preauth (X509 *cert, const char* host)
 {
   char buf[SHORT_STRING];
@@ -791,7 +792,9 @@ static int ssl_check_certificate (CONNECTION *conn, sslsockdata *data)
 
   chain = SSL_get_peer_cert_chain (data->ssl);
   chain_len = sk_X509_num (chain);
-  if (!chain || (chain_len <= 1))
+  /* negative preauthrc means the certificate won't be accepted without
+   * manual override. */
+  if (preauthrc < 0 || !chain || (chain_len <= 1))
     return interactive_check_cert (data->cert, 0, 0);
 
   /* check the chain from root to peer. */
-- 
2.40.0