#3903: Rework OpenSSL certificate verification to support alternative chains
--------------------------+----------------------
Reporter: kempniu | Owner: mutt-dev
Type: enhancement | Status: new
Priority: minor | Milestone:
Component: crypto | Version:
Resolution: | Keywords:
--------------------------+----------------------
Comment (by kevin8t8):
I had a little time to look at the patch (but not test it yet), so just a
few brief comments.
First, it looks like you are not validating the hostname when pos==0 but
!preverify_ok. Shouldn't we move the check_host() block in between the
check_certificate_cache() and the if(!preverify_ok) block?
The "log verification error" should probably go inside a #ifdef DEBUG,
just like it was in check_certificate_by_signer(). No sense in generating
the error message into buf if the dprint is a noop.
I think the name of the verify callback function should be renamed;
ssl_check_preauth is confusing. ssl_verify_callback() sounds as good as
anything...
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3903#comment:2>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
