From 745dc9d9cced5215205941f15f2303848dac0999 Mon Sep 17 00:00:00 2001 From: Brendan Cully Date: Sun, 11 Jan 2009 16:04:13 -0800 Subject: [PATCH] Add $ssl_verify_dates option to relax certificate date validation --- UPDATING | 2 ++ init.h | 8 ++++++++ mutt.h | 1 + mutt_ssl.c | 33 +++++++++++++++++++-------------- mutt_ssl_gnutls.c | 13 ++++++++----- 5 files changed, 38 insertions(+), 19 deletions(-) diff --git a/UPDATING b/UPDATING index a8f62e0e1..491b40fef 100644 --- a/UPDATING +++ b/UPDATING @@ -5,6 +5,8 @@ The keys used are: !: modified feature, -: deleted feature, +: new feature hg tip: + + $ssl_verify_dates controls whether mutt checks the validity period of + SSL certificates + $ssl_verify_hostname controls whether mutt will accept certificates whose host names do not match the host name in the folder URL. diff --git a/init.h b/init.h index d4834ca1d..bd996e58c 100644 --- a/init.h +++ b/init.h @@ -2145,6 +2145,14 @@ struct option_t MuttVars[] = { ** advertising the capability. When \fIunset\fP, mutt will not attempt to ** use \fCSTARTTLS\fP regardless of the server's capabilities. */ + { "ssl_verify_dates", DT_BOOL, R_NONE, OPTSSLVERIFYDATES, M_YES }, + /* + ** .pp + ** If \fIset\fP (the default), mutt will not automatically accept a server + ** certificate that is either not yet valid or already expired. You should + ** only unset this for particular known hosts, using the + ** \fC$\fP function. + */ { "ssl_verify_host", DT_BOOL, R_NONE, OPTSSLVERIFYHOST, M_YES }, /* ** .pp diff --git a/mutt.h b/mutt.h index fbacb0a98..5ccb3a1f5 100644 --- a/mutt.h +++ b/mutt.h @@ -370,6 +370,7 @@ enum OPTSSLV3, OPTTLSV1, OPTSSLFORCETLS, + OPTSSLVERIFYDATES, OPTSSLVERIFYHOST, #endif /* defined(USE_SSL) */ OPTIMPLICITAUTOVIEW, diff --git a/mutt_ssl.c b/mutt_ssl.c index 9242532e5..7cf5371d4 100644 --- a/mutt_ssl.c +++ b/mutt_ssl.c @@ -564,19 +564,22 @@ static int check_certificate_by_digest (X509 *peercert) FILE *fp; /* expiration check */ - if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0) + if (option (OPTSSLVERIFYDATES) != M_NO) { - dprint (2, (debugfile, "Server certificate is not yet valid\n")); - mutt_error (_("Server certificate is not yet valid")); - mutt_sleep (2); - return 0; - } - if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0) - { - dprint (2, (debugfile, "Server certificate has expired")); - mutt_error (_("Server certificate has expired")); - mutt_sleep (2); - return 0; + if (X509_cmp_current_time (X509_get_notBefore (peercert)) >= 0) + { + dprint (2, (debugfile, "Server certificate is not yet valid\n")); + mutt_error (_("Server certificate is not yet valid")); + mutt_sleep (2); + return 0; + } + if (X509_cmp_current_time (X509_get_notAfter (peercert)) <= 0) + { + dprint (2, (debugfile, "Server certificate has expired")); + mutt_error (_("Server certificate has expired")); + mutt_sleep (2); + return 0; + } } if ((fp = fopen (SslCertFile, "rt")) == NULL) @@ -884,8 +887,10 @@ static int interactive_check_cert (X509 *cert, int idx, int len) _("SSL Certificate check (certificate %d of %d in chain)"), len - idx, len); menu->title = title; - if (SslCertFile && X509_cmp_current_time (X509_get_notAfter (cert)) >= 0 - && X509_cmp_current_time (X509_get_notBefore (cert)) < 0) + if (SslCertFile + && (option (OPTSSLVERIFYDATES) == M_NO + || (X509_cmp_current_time (X509_get_notAfter (cert)) >= 0 + && X509_cmp_current_time (X509_get_notBefore (cert)) < 0))) { menu->prompt = _("(r)eject, accept (o)nce, (a)ccept always"); menu->keys = _("roa"); diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c index 48f03c3ed..1f9b070e9 100644 --- a/mutt_ssl_gnutls.c +++ b/mutt_ssl_gnutls.c @@ -576,11 +576,14 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata, gnutls_x509_crt_deinit (cert); return -1; } - - if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL)) - certerr_expired = 1; - if (gnutls_x509_crt_get_activation_time (cert) > time(NULL)) - certerr_notyetvalid = 1; + + if (option (OPTSSLVERIFYDATES) != M_NO) + { + if (gnutls_x509_crt_get_expiration_time (cert) < time(NULL)) + certerr_expired = 1; + if (gnutls_x509_crt_get_activation_time (cert) > time(NULL)) + certerr_notyetvalid = 1; + } if (!idx) { -- 2.40.0