[fetchmail-devel] Workaround for unavoidable SSL CommonName mismatch?

[Daniel R. G. <sk...@iS...>]

I'm using fetchmail to download mail via SSL-secured POP3 from 
mail.mydomain.com, a server maintained by webhost.com.

This server is not dedicated to my domain; it is an alias for one of a 
handful of mega-mail servers run by webhost.com.

The SSL certificate on mail.mydomain.com (and all the other mail servers) 
is actually for mail.webhost.com. I can't connect to mail.webhost.com, 
however, because it is not the same mega-server as the one for my domain; 
it doesn't recognize my username/password.

(I fully concede that webhost.com, to put it mildly, could manage their SSL 
services better. They've been following this practice for a long time, 
unfortunately, and it's quite unlikely that they'll go to the trouble of 
changing it.)

It would be very helpful to be able to say, "connect to server A, but for 
the purposes of SSL, pretend it's called B." Right now, there is no way to 
specify this.

I think that there wouldn't even be a need to introduce a new keyword; 
this semantic could reasonably be stuffed into "aka". So that, for the 
above-described scenario, I could say

	poll mail.mydomain.com aka mail.webhost.com protocol pop3
		username ... password ... ssl fetchall

and have everything work dandily.

I'm not sure about how the implementation would go, however. The CommonName 
matching takes place in SSL_verify_callback(), which takes an 
X509_STORE_CTX and two ints as parameters. The arguments for "aka", 
however, go into a (struct query)->(struct hostdata)->akalist field, and 
there doesn't seem to be a way to get to that from the callback.

Would appreciate any thoughts/insight on this....


--Daniel


-- 
NAME   = Daniel Richard G.       ##  Remember, skunks       _\|/_  meef?
EMAIL1 = sk...@is...        ##  don't smell bad---    (/o|o\) /
EMAIL2 = sk...@al...      ##  it's the people who   < (^),>
WWW    = http://www.******.org/  ##  annoy them that do!    /   \
--
(****** = site not yet online)