How to send a PR? (attached "PR") (protonmail bridge headache)

[me]

Hi,

Not sure how to submit a PR .. so I send like this instead.

...

I've tried to configure mbsync to work with a dockerized protonmail
bridge, running on another server.

Providing a CertificateFile I still get the following error:
"Error, certificate owner does not match hostname <servername>".

Indeed it does not as protonmail cert have the hostname "127.0.0.1" (as
it's intended to run on your local machine).

In Thunderbird it is still possible to add an exception to this and
things work as you'd like them to.

I've now put together a similar feature in mbsync config, where you can
optionally specify to except hostname.

"CertificateExceptHostname yes"

This will ignore the host name matching.


My implementation is very small and works as I expect it to. Default
behavior is still to not ignore host names (of course).

Attached a diff ..

diff --git a/src/drv_imap.c b/src/drv_imap.c
index ad95e3d..e461896 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -3759,6 +3759,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 	server->sconf.timeout = 20000;
 #ifdef HAVE_LIBSSL
 	server->ssl_type = -1;
+	server->sconf.cert_excepthostname = -1;
 	server->sconf.ssl_versions = TLSv1_2 | TLSv1_3;
 	server->sconf.system_certs = 1;
 #endif
@@ -3816,6 +3817,10 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
 				           cfg->file, cfg->line, server->sconf.cert_file );
 				cfg->err = 1;
 			}
+		} else if (!strcasecmp( "CertificateExceptHostname", cfg->cmd )) {
+			if (!strcasecmp( "yes", cfg->val )) {
+				server->sconf.cert_excepthostname = 1;
+			}
 		} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
 			server->sconf.system_certs = parse_bool( cfg );
 		} else if (!strcasecmp( "ClientCertificate", cfg->cmd )) {
diff --git a/src/socket.c b/src/socket.c
index 52cd7c2..81e8bcf 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -202,7 +202,11 @@ verify_cert_host( const server_conf_t *conf, conn_t *sock )
 		return -1;
 	}
 
-	int ret = verify_hostname( cert, conf->host );
+	int ret = 0;
+
+	if (conf->cert_excepthostname != 1) {
+		ret = verify_hostname( cert, conf->host );
+	}
 
 	X509_free( cert );
 	return ret;
diff --git a/src/socket.h b/src/socket.h
index 5b538eb..6869968 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -38,6 +38,7 @@ typedef struct {
 	char *cipher_string;
 	char system_certs;
 	char ssl_versions;
+	char cert_excepthostname;
 
 	/* these are actually variables and are leaked at the end */
 	char ssl_ctx_valid;


_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel