#3087: No server hostname validation in SSL certificate processing Changes (by pdmef):
* priority: critical => major * status: closed => reopened * resolution: fixed => Comment: The hostname check added in [934a802dff7f] is likely incomplete. First, http://www.openssl.org/docs/crypto/X509_NAME_get_index_by_NID.html says `X509_NAME_get_text_by_NID()` is a legacy function with limitations. Second, it seems that simply matching full hostnames is not enough as other verification implementations (including GnuTLS) seem to support pattern and domain name matching as well as extracting all hostnames provided in the certificate. The hostname verification used in msmtp together with OpenSSL could be a candiate implementation for mutt as it seems to check more than the first CN and does support pattern matching. -- Ticket URL: <http://dev.mutt.org/trac/ticket/3087#comment:4>
