Improve host checking for SSL with intermediate certificates.

author: Brendan Cully <brendan@kublai.com> 2009-06-09 22:09:20 -0700
committer: Brendan Cully <brendan@kublai.com> 2009-06-09 22:09:20 -0700
commit: 9ad11765d15c8b28d7159fe86672b73c1591a8b3 (patch)
tree: 4baf06d2366e4e9346f900697ffe3efa4ba73a09 /mutt_ssl.c
parent: 5115b6d7ccb4b8227869fd7cee9eac9c97b775be (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/mutt_ssl.c b/mutt_ssl.c
index 92fc4407..cb1b0cc4 100644
--- a/mutt_ssl.c
+++ b/mutt_ssl.c
@@ -740,7 +740,8 @@ static int ssl_cache_trusted_cert (X509 *c)
 }
 
 /* check whether cert is preauthorized. If host is not null, verify that
- * it matches the certificate */
+ * it matches the certificate.
+ * Return > 0: authorized, < 0: problems, 0: unknown validity */
 static int ssl_check_preauth (X509 *cert, const char* host)
 {
   char buf[SHORT_STRING];
@@ -791,7 +792,9 @@ static int ssl_check_certificate (CONNECTION *conn, sslsockdata *data)
 
   chain = SSL_get_peer_cert_chain (data->ssl);
   chain_len = sk_X509_num (chain);
-  if (!chain || (chain_len <= 1))
+  /* negative preauthrc means the certificate won't be accepted without
+   * manual override. */
+  if (preauthrc < 0 || !chain || (chain_len <= 1))
     return interactive_check_cert (data->cert, 0, 0);
 
   /* check the chain from root to peer. */
author	Brendan Cully <brendan@kublai.com>	2009-06-09 22:09:20 -0700
committer	Brendan Cully <brendan@kublai.com>	2009-06-09 22:09:20 -0700
commit	9ad11765d15c8b28d7159fe86672b73c1591a8b3 (patch)
tree	4baf06d2366e4e9346f900697ffe3efa4ba73a09 /mutt_ssl.c
parent	5115b6d7ccb4b8227869fd7cee9eac9c97b775be (diff)