Heikki Toivonen wrote:
I just enabled the final piece in the SSL support for IMAP and SSL. We now check the X.509 certificate that was returned by the server and make sure that the host it was issued to is the same host we connected to.
[snip]
The actual check is stricter than is actually specified in the RFC. I will change it to confirm to the spec, but I would also be interested in finding out if there actually are any certificates out there that would not pass the current check. Specifically, the current checks are stricter because: 1) they are case sensitive, 2) they don't allow certificates specified for multiple hosts. I don't really like how I implemented this whole validation step so I will redo a part of it anyway.
I would avoid doing a case-sensitive check, it can only lead to mysterious problems. That said, I have no idea how IDN affects this practice, I'm sure the right thing in the long run is to do an octet-string match, but in the meantime I don't think we want to have to figure out failure cases where the user entered "Foo.Bar.Edu" as the hostname for some reason.
As far as IDN is concerned, I believe that IDN strings first go through a process called "nameprep", which is a combination of NFKC (normalization), case folding, removal of control/space characters, etc.
So hopefully case sensitivity wouldn't be an issue, if the IDN spec is followed correctly. And then yes, you could do a binary comparison to check for equality.
-- Ken -- Ken Krugler TransPac Software, Inc. <http://www.transpac.com> +1 530-470-9200 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Open Source Applications Foundation "Dev" mailing list http://lists.osafoundation.org/mailman/listinfo/dev
