by Sunil Shetye. (MA)
* fetchmailconf -h documents the fetchmailconf -h option. Matthias Andree
* fetchmailconf -V now prints the fetchmailconf version. Matthias Andree
+* Add support for SubjectAltName (RFC-2595 or 2818), to avoid bogus certificate
+ mismatch errors. Patch by Roland Stigge, Debian Bug#201113. (MA)
# INTERNAL CHANGES
* Switched to automake. Matthias Andree.
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/pem.h>
-#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include <openssl/rand.h>
static SSL_CTX *_ctx = NULL;
char *p1 = buf;
char *p2 = _ssl_server_cname;
int n;
+ int matched = 0;
+ STACK_OF(GENERAL_NAME) *gens;
+ /* RFC 2595 section 2.4: find a matching name
+ * first find a match among alternative names */
+ gens = X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
+ if (gens) {
+ int i, r;
+ for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
+ const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
+ if (gn->type == GEN_DNS) {
+ char *p1 = gn->d.ia5->data;
+ char *p2 = _ssl_server_cname;
+ if (outlevel == O_VERBOSE)
+ report(stderr, "Subject Alternative Name: %s\n", p1);
+ if (*p1 == '*') {
+ ++p1;
+ n = strlen(p2) - strlen(p1);
+ if (n >= 0)
+ p2 += n;
+ }
+ if (0 == strcasecmp(p1, p2)) {
+ matched = 1;
+ }
+ }
+ }
+ sk_GENERAL_NAME_free(gens);
+ }
if (*p1 == '*') {
++p1;
n = strlen(p2) - strlen(p1);
if (n >= 0)
p2 += n;
}
- if (0 != strcasecmp(p1, p2)) {
+ if (0 == strcasecmp(p1, p2)) {
+ matched = 1;
+ }
+ if (!matched) {
report(stderr,
GT_("Server CommonName mismatch: %s != %s\n"),
buf, _ssl_server_cname );