dovecot-2.1: imapc: Verify that SSL certificate matches the conn...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.1/rev/e40d6b5ef97e
changeset: 13405:e40d6b5ef97e
user:      Timo Sirainen <tss at iki.fi>
date:      Tue Sep 06 16:33:09 2011 +0300
description:
imapc: Verify that SSL certificate matches the connected hostname.

diffstat:

 src/lib-storage/index/imapc/imapc-connection.c |  21 +++++++++++++--------
 1 files changed, 13 insertions(+), 8 deletions(-)

diffs (37 lines):

diff -r c3dc563c9800 -r e40d6b5ef97e src/lib-storage/index/imapc/imapc-connection.c
--- a/src/lib-storage/index/imapc/imapc-connection.c	Tue Sep 06 16:32:20 2011 +0300
+++ b/src/lib-storage/index/imapc/imapc-connection.c	Tue Sep 06 16:33:09 2011 +0300
@@ -966,20 +966,25 @@
 {
 	struct imapc_connection *conn = context;
 
-	if (ssl_iostream_has_valid_client_cert(conn->ssl_iostream)) {
+	if (!ssl_iostream_has_valid_client_cert(conn->ssl_iostream)) {
+		if (!ssl_iostream_has_broken_client_cert(conn->ssl_iostream)) {
+			i_error("imapc(%s): SSL certificate not received",
+				conn->name);
+		} else {
+			i_error("imapc(%s): Received invalid SSL certificate",
+				conn->name);
+		}
+	} else if (ssl_iostream_cert_match_name(conn->ssl_iostream,
+						conn->client->set.host) < 0) {
+		i_error("imapc(%s): SSL certificate doesn't match host name",
+			conn->name);
+	} else {
 		if (conn->client->set.debug) {
 			i_debug("imapc(%s): SSL handshake successful",
 				conn->name);
 		}
 		return 0;
 	}
-
-	if (!ssl_iostream_has_broken_client_cert(conn->ssl_iostream)) {
-		i_error("imapc(%s): SSL certificate not received", conn->name);
-	} else {
-		i_error("imapc(%s): Received invalid SSL certificate",
-			conn->name);
-	}
 	i_stream_close(conn->input);
 	return -1;
 }