--- mutt_ssl.c +++ mutt_ssl.c 2009-11-25 12:48:35.000000000 +0000 @@ -681,7 +681,8 @@ static int check_host (X509 *x509cert, c subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i); if (subj_alt_name->type == GEN_DNS) { - if ((match_found = hostname_match(hostname_ascii, + if (mutt_strlen(subj_alt_name->d.ia5->data) == subj_alt_name->d.ia5->length && + (match_found = hostname_match(hostname_ascii, (char *)(subj_alt_name->d.ia5->data)))) { break; @@ -711,7 +712,9 @@ static int check_host (X509 *x509cert, c strfcpy (err, _("cannot get certificate common name"), errlen); goto out; } - match_found = hostname_match(hostname_ascii, buf); + if (mutt_strlen(buf) == bufsize - 1) { + match_found = hostname_match(hostname_ascii, buf); + } } if (!match_found) @@ -745,6 +748,7 @@ static int ssl_cache_trusted_cert (X509 static int ssl_check_preauth (X509 *cert, const char* host) { char buf[SHORT_STRING]; + int trusted = 0; /* check session cache first */ if (check_certificate_cache (cert)) @@ -753,6 +757,13 @@ static int ssl_check_preauth (X509 *cert return 1; } + /* automatic check from user's database */ + if (SslCertFile && check_certificate_by_digest (cert)) + { + dprint (2, (debugfile, "ssl_check_preauth: digest check passed\n")); + trusted++; + } + buf[0] = 0; if (host && option (OPTSSLVERIFYHOST) != M_NO) { @@ -760,24 +771,20 @@ static int ssl_check_preauth (X509 *cert { mutt_error (_("Certificate host check failed: %s"), buf); mutt_sleep (2); - return -1; + if (!trusted) /* don't fail if cert is manually trusted */ + return -1; } dprint (2, (debugfile, "ssl_check_preauth: hostname check passed\n")); } + if (trusted) return 1; + if (check_certificate_by_signer (cert)) { dprint (2, (debugfile, "ssl_check_preauth: signer check passed\n")); return 1; } - /* automatic check from user's database */ - if (SslCertFile && check_certificate_by_digest (cert)) - { - dprint (2, (debugfile, "ssl_check_preauth: digest check passed\n")); - return 1; - } - return 0; }