1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
diff --git a/imap/src/osdep/nt/ssl_nt.c b/imap/src/osdep/nt/ssl_nt.c
index 3b0118d..d39fdf0 100644
--- a/imap/src/osdep/nt/ssl_nt.c
+++ b/imap/src/osdep/nt/ssl_nt.c
@@ -501,7 +501,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
static char *ssl_validate_cert (X509 *cert,char *host)
{
- int i,j,n;
+ int i,j,n, m = 0;;
char *s=NULL,*t,*ret = NIL;
void *ext;
GENERAL_NAME *name;
@@ -511,9 +511,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
/* make sure have a certificate */
if (!cert) return "No certificate from server";
/* Method 1: locate CN */
+#ifndef OPENSSL_1_1_0
if (cert->name == NIL)
ret = "No name in certificate";
else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+ m++; /* count that we tried this method */
if (t = strchr (s += 4,'/')) *t = '\0';
/* host name matches pattern? */
ret = ssl_compare_hostnames (host,s) ? NIL :
@@ -528,8 +530,10 @@ static char *ssl_validate_cert (X509 *cert,char *host)
(name->type = GEN_DNS) && (s = name->d.ia5->data) &&
ssl_compare_hostnames (host,s)) ret = NIL;
}
+#endif /* OPENSSL_1_1_0 */
/* Method 2, use Cname */
- if(ret != NIL){
+ if(m == 0 || ret != NIL){
+ cname = X509_get_subject_name(cert);
for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
if((e = X509_NAME_get_entry(cname, j)) != NULL){
X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
@@ -552,7 +556,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
}
}
- if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+ if (ret == NIL
+#ifndef OPENSSL_1_1_0
+ && !cert->name
+#endif /* OPENSSL_1_1_9 */
+ && !X509_get_subject_name(cert))
ret = "No name in certificate";
if (ret == NIL && s == NIL)
diff --git a/imap/src/osdep/unix/ssl_unix.c b/imap/src/osdep/unix/ssl_unix.c
index 0033e55..24f91e1 100644
--- a/imap/src/osdep/unix/ssl_unix.c
+++ b/imap/src/osdep/unix/ssl_unix.c
@@ -504,7 +504,7 @@ static int ssl_open_verify (int ok,X509_STORE_CTX *ctx)
static char *ssl_validate_cert (X509 *cert,char *host)
{
- int i,j,n;
+ int i,j,n, m = 0;
char *s=NULL,*t,*ret = NIL;
void *ext;
GENERAL_NAME *name;
@@ -514,9 +514,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
/* make sure have a certificate */
if (!cert) return "No certificate from server";
/* Method 1: locate CN */
+#ifndef OPENSSL_1_1_0
if (cert->name == NIL)
ret = "No name in certificate";
else if ((s = strstr (cert->name,"/CN=")) != NIL) {
+ m++; /* count that we tried this method */
if (t = strchr (s += 4,'/')) *t = '\0';
/* host name matches pattern? */
ret = ssl_compare_hostnames (host,s) ? NIL :
@@ -531,8 +533,10 @@ static char *ssl_validate_cert (X509 *cert,char *host)
(name->type = GEN_DNS) && (s = name->d.ia5->data) &&
ssl_compare_hostnames (host,s)) ret = NIL;
}
- /* Method 2, use Cname */
- if(ret != NIL){
+#endif /* OPENSSL_1_1_0 */
+ /* Method 2, use cname */
+ if(m == 0 || ret != NIL){
+ cname = X509_get_subject_name(cert);
for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
if((e = X509_NAME_get_entry(cname, j)) != NULL){
X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
@@ -555,7 +559,11 @@ static char *ssl_validate_cert (X509 *cert,char *host)
}
}
- if (ret == NIL && !cert->name && !(cname = X509_get_subject_name(cert)))
+ if (ret == NIL
+#ifndef OPENSSL_1_1_0
+ && !cert->name
+#endif /* OPENSSL_1_1_0 */
+ && !X509_get_subject_name(cert))
ret = "No name in certificate";
if (ret == NIL && s == NIL)
|