[Dev] IMAP and SMTP over SSL secure - finally
ken at transpac.com
Fri Feb 11 13:28:22 PST 2005
>Heikki Toivonen wrote:
>>I just enabled the final piece in the SSL support for IMAP and SSL. We
>>now check the X.509 certificate that was returned by the server and make
>>sure that the host it was issued to is the same host we connected to.
>>The actual check is stricter than is actually specified in the RFC. I
>>will change it to confirm to the spec, but I would also be interested in
>>finding out if there actually are any certificates out there that would
>>not pass the current check. Specifically, the current checks are
>>stricter because: 1) they are case sensitive, 2) they don't allow
>>certificates specified for multiple hosts. I don't really like how I
>>implemented this whole validation step so I will redo a part of it anyway.
>I would avoid doing a case-sensitive check, it can only lead to
>mysterious problems. That said, I have no idea how IDN affects this
>practice, I'm sure the right thing in the long run is to do an
>octet-string match, but in the meantime I don't think we want to have to
>figure out failure cases where the user entered "Foo.Bar.Edu" as the
>hostname for some reason.
As far as IDN is concerned, I believe that IDN strings first go
through a process called "nameprep", which is a combination of NFKC
(normalization), case folding, removal of control/space characters,
So hopefully case sensitivity wouldn't be an issue, if the IDN spec
is followed correctly. And then yes, you could do a binary comparison
to check for equality.
TransPac Software, Inc.
More information about the Dev