#3506: failure to check server certificate in SMTP TLS connection
--------------------+-------------------------------------------------------
Reporter: db | Owner: mutt-dev
Type: defect | Status: new
Priority: major | Milestone:
Component: mutt | Version:
Keywords: |
--------------------+-------------------------------------------------------
Comment(by db):
So I think this issue maybe caused by mutt's method of validating the
host-name for a certificate chain such as found on smtp.gmail.com[-1]:
I propose the following patch which as you can tell *breaks* mutt's ssl
handling because ca certs will now also have their hostnames checked - and
obviously it will not _match_.
Patch:
-----------
--- mutt_ssl_gnutls.c.orig 2011-03-10 00:12:25.000000000 +1100
+++ mutt_ssl_gnutls.c 2011-03-10 00:12:44.000000000 +1100
@@ -581,7 +581,7 @@
*certerr |= CERTERR_NOTYETVALID;
}
- if (chainidx == 0 && option (OPTSSLVERIFYHOST) != M_NO
+ if (option (OPTSSLVERIFYHOST) != M_NO
&& !gnutls_x509_crt_check_hostname (cert, hostname)
&& !tls_check_stored_hostname (certdata, hostname))
*certerr |= CERTERR_HOSTNAME;
----------
(Also ... yes this will mean a check and potentially an incorrect error
message is displayed (accepting the ca cert will actually save for the
server certificate) ) .[0] & [1]
-----------
[-1]
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
[0]
This certificate belongs to:
Google Internet Authority
Google Inc
US
This certificate was issued by:
Equifax
Equifax Secure Certificate Authority
US
This certificate is valid
from Mon, 8 Jun 2009 20:43:27 UTC
to Fri, 7 Jun 2013 19:43:27 UTC
SHA1 Fingerprint: DD7A 7F13 1DDB A33D 3E86 7017 9483 E6FE A698 7D6A
MD5 Fingerprint: 33A0 EA98 0E3D 6E26 1D77 2D82 DF66 007D
WARNING: Server hostname does not match certificate
[1]
This certificate belongs to:
smtp.gmail.com
Google Inc
Mountain View California US
This certificate was issued by:
Google Internet Authority
Google Inc
US
This certificate is valid
from Thu, 22 Apr 2010 20:02:45 UTC
to Fri, 22 Apr 2011 20:12:45 UTC
SHA1 Fingerprint: 1A6F 488F BE5B FD92 D812 30F9 22CE 8449 B343 BD2C
MD5 Fingerprint: 6039 DEFB 0AD9 9E43 26E7 75AC 6048 A1B0
WARNING: Server hostname does not match certificate
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3506#comment:1>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
