#3087: No server hostname validation in SSL certificate processing The SSL X509 certificate handling in mutt does not check the CN= against the FQDN that the user entered, and as such there is no indication that the certificate that mutt receives from a SSL-based server actually belongs to the server in question.
This could allow a malicious person to redirect (via DNS manipulation or otherwise) a user to a different server than intended and, using a valid server certificate from any host, permit the connection to succeed normally with no indication to the user that the certificate is invalid for the specified server. I am attaching a patch against mutt 1.5.16 that looks like it will address the problem. The behavior the patch implements mimics the behavior in Mozilla-based e-mail clients. -- Ticket URL: <http://dev.mutt.org/trac/ticket/3087>
