From d0ddd64f63bca3f1ab60754a255eaf2110f183b3 Mon Sep 17 00:00:00 2001 From: Brendan Cully Date: Sun, 11 Jan 2009 15:44:28 -0800 Subject: [PATCH] Add $ssl_verify_host to allow skipping host name validation --- ChangeLog | 6 +++++- UPDATING | 4 ++++ init.h | 8 ++++++++ mutt.h | 1 + mutt_ssl.c | 13 ++++++++----- mutt_ssl_gnutls.c | 3 ++- 6 files changed, 28 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index d86c9571..d4bd9548 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ -2009-01-10 21:43 -0800 Brendan Cully (aa069968e4d5) +2009-01-10 22:09 -0800 Brendan Cully (db3a61fcde35) + + * imap/util.c: Assume INBOX for ""/NULL in imap_mxcmp + + * imap/util.c: Use known connection delimiter in imap_expand_path * imap/util.c: Guard against NULL pointers in imap_mxcmp diff --git a/UPDATING b/UPDATING index eb302992..a8f62e0e 100644 --- a/UPDATING +++ b/UPDATING @@ -4,6 +4,10 @@ mutt. Please read this file carefully when upgrading your installation. The keys used are: !: modified feature, -: deleted feature, +: new feature +hg tip: + + $ssl_verify_hostname controls whether mutt will accept certificates whose + host names do not match the host name in the folder URL. + 1.5.19 (2009-01-05): + support for SSL certificate chains diff --git a/init.h b/init.h index f9c5bba7..d4834ca1 100644 --- a/init.h +++ b/init.h @@ -2145,6 +2145,14 @@ struct option_t MuttVars[] = { ** advertising the capability. When \fIunset\fP, mutt will not attempt to ** use \fCSTARTTLS\fP regardless of the server's capabilities. */ + { "ssl_verify_host", DT_BOOL, R_NONE, OPTSSLVERIFYHOST, M_YES }, + /* + ** .pp + ** If \fIset\fP (the default), mutt will not automatically accept a server + ** certificate whose host name does not match the host used in your folder + ** URL. You should only unset this for particular known hosts, using + ** the \fC$\fP function. + */ { "certificate_file", DT_PATH, R_NONE, UL &SslCertFile, UL "~/.mutt_certificates" }, /* ** .pp diff --git a/mutt.h b/mutt.h index 94a7d4f5..fbacb0a9 100644 --- a/mutt.h +++ b/mutt.h @@ -370,6 +370,7 @@ enum OPTSSLV3, OPTTLSV1, OPTSSLFORCETLS, + OPTSSLVERIFYHOST, #endif /* defined(USE_SSL) */ OPTIMPLICITAUTOVIEW, OPTINCLUDEONLYFIRST, diff --git a/mutt_ssl.c b/mutt_ssl.c index 7de574ea..9242532e 100644 --- a/mutt_ssl.c +++ b/mutt_ssl.c @@ -749,13 +749,16 @@ static int ssl_check_preauth (X509 *cert, CONNECTION *conn) } buf[0] = 0; - if (!check_host (cert, conn->account.host, buf, sizeof (buf))) + if (option (OPTSSLVERIFYHOST) != M_NO) { - mutt_error (_("Certificate host check failed: %s"), buf); - mutt_sleep (2); - return -1; + if (!check_host (cert, conn->account.host, buf, sizeof (buf))) + { + mutt_error (_("Certificate host check failed: %s"), buf); + mutt_sleep (2); + return -1; + } + dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n")); } - dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n")); if (check_certificate_by_signer (cert)) { diff --git a/mutt_ssl_gnutls.c b/mutt_ssl_gnutls.c index d1898419..48f03c3e 100644 --- a/mutt_ssl_gnutls.c +++ b/mutt_ssl_gnutls.c @@ -585,7 +585,8 @@ static int tls_check_one_certificate (const gnutls_datum_t *certdata, if (!idx) { if (!gnutls_x509_crt_check_hostname (cert, hostname) && - !tls_check_stored_hostname (certdata, hostname)) + !tls_check_stored_hostname (certdata, hostname) && + option (OPTSSLVERIFYHOST) != M_NO) certerr_hostname = 1; } -- 2.40.0