Now with patch.
On Sat, 19 Jul 2014, Mark Pustjens wrote:
Hi,
According to the manual on the option CertificateFile:
``Directly matched peer certificates are always trusted, regardless of
validity.''
However, I still get the error ``certificate owner does not match hostname''.
The error is right in that the domain of the certificate does not match the
Host domain in the configuration. It is wrong in that according to the
manual, this check should have passed.
The attached patch adds an option CertificateDomain, which is used to match
against the certificate. Given the manual, this might not be intended.
What is the intended behaviour, and what would be the preferred way to solve
it?
Greetings/Groetjes
Mark Pustjens
--
There have, in the course of decadent history, been many large wigs, often
with build-in gewgaws to stop people having to look at boring hair all the
time. There had been ones big enough to contain pet mice or clockwork
ornaments. Mme Cupidor, mistress of Mad King Soup II, had one with a bird
cage in it, but on special state occasions wore one containing a perpetual
calendar, a floral clock and a take-away linguini shop.
(Lords and Ladies)
Greetings/Groetjes
Mark Pustjens
--
"He raised his hammer defiantly and opened his mouth to say, "Oh, yeah?" but
stopped, because just by his ear he heard a growl. It was quite low and soft,
but it had a complex little waveform which went straight down into a little
knobbly bit in his spinal column where it pressed an ancient button marked
Primal Terror."
(Feet of Clay)
diff --git a/autogen.sh b/autogen.sh
old mode 100755
new mode 100644
diff --git a/debian/generate-deb b/debian/generate-deb
old mode 100755
new mode 100644
diff --git a/debian/rules b/debian/rules
old mode 100755
new mode 100644
diff --git a/get-cert b/get-cert
old mode 100755
new mode 100644
diff --git a/src/compat/config.c b/src/compat/config.c
index 70360fc..03fa539 100644
--- a/src/compat/config.c
+++ b/src/compat/config.c
@@ -184,6 +184,8 @@ load_config( const char *path, config_t ***stor )
cfg->delete = is_true( val );
else if (!strcasecmp( "CertificateFile", cmd ))
cfg->cert_file = expand_strdup( val );
+ else if (!strcasecmp( "CertificateDomain", cmd ))
+ cfg->cert_domain = expand_strdup( val );
else if (!strcasecmp( "RequireSSL", cmd ))
cfg->require_ssl = is_true( val );
else if (!strcasecmp( "UseSSLv2", cmd ))
diff --git a/src/compat/isync.h b/src/compat/isync.h
index b8c7cc2..1e49055 100644
--- a/src/compat/isync.h
+++ b/src/compat/isync.h
@@ -53,6 +53,7 @@ typedef struct config {
unsigned int use_sslv3:1;
unsigned int use_tlsv1:1;
char *cert_file;
+ char *cert_domain;
const char *store_name;
int stores;
diff --git a/src/drv_imap.c b/src/drv_imap.c
index 13e4f37..9452c2a 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -2300,7 +2300,9 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
cfg->file, cfg->line,
server->sconf.cert_file );
cfg->err = 1;
}
- } else if (!strcasecmp( "RequireSSL", cfg->cmd ))
+ } else if (!strcasecmp( "CertificateDomain", cfg->cmd ))
+ server->sconf.cert_domain = nfstrdup( cfg->val );
+ else if (!strcasecmp( "RequireSSL", cfg->cmd ))
server->require_ssl = parse_bool( cfg );
else if (!strcasecmp( "UseIMAPS", cfg->cmd ))
server->sconf.use_imaps = parse_bool( cfg );
diff --git a/src/run-tests.pl b/src/run-tests.pl
old mode 100755
new mode 100644
diff --git a/src/socket.c b/src/socket.c
index f47e375..26b9006 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -146,10 +146,12 @@ verify_hostname( X509 *cert, const char *hostname )
error( "Error, cannot get certificate common name\n" );
return -1;
}
+
if (strlen( cname ) == (size_t)len && host_matches( hostname, cname ))
return 0;
- error( "Error, certificate owner does not match hostname %s\n",
hostname );
+ error( "Error, certificate owner does not match hostname %s != %s\n",
cname, hostname );
+
return -1;
}
@@ -167,7 +169,11 @@ verify_cert_host( const server_conf_t *conf, conn_t *sock )
return -1;
}
- return verify_hostname( cert, conf->host );
+ if (conf->cert_domain) {
+ return verify_hostname( cert, conf->cert_domain );
+ } else {
+ return verify_hostname( cert, conf->host );
+ }
}
static int
diff --git a/src/socket.h b/src/socket.h
index 1545b39..ececf93 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -34,6 +34,7 @@ typedef struct server_conf {
int port;
#ifdef HAVE_LIBSSL
char *cert_file;
+ char *cert_domain;
char use_imaps;
char use_sslv2, use_sslv3, use_tlsv1, use_tlsv11, use_tlsv12;
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
