[Dev] IMAP and SMTP over SSL secure - finally

[Ken Krugler]

>Heikki Toivonen wrote:
>
>>I just enabled the final piece in the SSL support for IMAP and SSL. We
>>now check the X.509 certificate that was returned by the server and make
>>sure that the host it was issued to is the same host we connected to.

[snip]

>>The actual check is stricter than is actually specified in the RFC. I
>>will change it to confirm to the spec, but I would also be interested in
>>finding out if there actually are any certificates out there that would
>>not pass the current check. Specifically, the current checks are
>>stricter because: 1) they are case sensitive, 2) they don't allow
>>certificates specified for multiple hosts. I don't really like how I
>>implemented this whole validation step so I will redo a part of it anyway.
>
>I would avoid doing a case-sensitive check, it can only lead to
>mysterious problems.  That said, I have no idea how IDN affects this
>practice, I'm sure the right thing in the long run is to do an
>octet-string match, but in the meantime I don't think we want to have to
>figure out failure cases where the user entered "Foo.Bar.Edu" as the
>hostname for some reason.

As far as IDN is concerned, I believe that IDN strings first go 
through a process called "nameprep", which is a combination of NFKC 
(normalization), case folding, removal of control/space characters, 
etc.

So hopefully case sensitivity wouldn't be an issue, if the IDN spec 
is followed correctly. And then yes, you could do a binary comparison 
to check for equality.

-- Ken
-- 
Ken Krugler
TransPac Software, Inc.
<http://www.transpac.com>
+1 530-470-9200