Hi there, Attached is a little patch against upstream to fix the search for a mathing hostname within the X509v3 Subject Alternative Names with a DNS type.
Without the fix mutt does not compare the hostname with the good data of subj_alt_name, thus always failling over to the Common Name of the certificate; causing mutt, when the CN is not equal to the hostname, to always warn: Certificate host check failed: certificate owner does not match hostname <hostname> Compiling also gives a warning: mutt_ssl.c: In function ‘check_host’: mutt_ssl.c:763: warning: passing argument 1 of ‘mutt_strlen’ from incompatible pointer type lib.h:193: note: expected ‘const char *’ but argument is of type ‘struct GENERAL_NAME *’ The fix consists only in passing to mutt_strlen the same value that is passed to hostname_match thereafter, i.e.: (char *)(subj_alt_name->d.ia5->data). Hope that it will be fixed upstream soon, Julien Moutinho.
diff --git a/mutt_ssl.c b/mutt_ssl.c
index 1a45672..9a5fb37 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -760,7 +760,7 @@ static int check_host (X509 *x509cert, const char *hostname, char *err, size_t e
subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i);
if (subj_alt_name->type == GEN_DNS)
{
- if (mutt_strlen(subj_alt_name) == subj_alt_name->d.ia5->length &&
+ if (mutt_strlen((char *)(subj_alt_name->d.ia5->data)) == subj_alt_name->d.ia5->length &&
(match_found = hostname_match(hostname_ascii,
(char *)(subj_alt_name->d.ia5->data))))
{
pgp3QFRnL8Dbe.pgp
Description: PGP signature
