Menu
▾
▴
Re: [fetchmail-devel] Workaround for unavoidable SSL CommonName mismatch?
|
From: Daniel R. G. <sk...@iS...> - 2006-04-25 06:50:14
|
On Mon, 2006 Apr 24 14:49:19 +0200, Matthias Andree wrote: > > I'll ponder this a bit, and see if "aka" or "via" should be overloaded > or a new option be introduced. I usually prefer separate options because > sooner or later someone will find a use case where overloading a token > restricts flexibility again and the initial enthusiasum for saving yet > another token turns into frustration because existing documentation, > practice and configuration locks the software in to its former way of > overloading the token for quite a while. That sounds suspiciously like wisdom :-) Maybe something like "sslalternate" (or "sslalt"), given that this would essentially simulate an alternate-name on the server certificate. This could more reasonably become a new field in X509_STORE_CTX, which makes the integration cleaner. (I can try my hand at a patch, if you like... any pointers/caveats I should know?) > Currently the expected name is the "via" name if given, otherwise the > poll name. And the proposed new feature/keyword would basically be the reverse of that. Hmm. > > That's what I'm doing for now, but I still get the "CommonName mismatch" > > warnings. (Twice for every connection, in fact.) I want to get rid of > > Which indicates that you are running a version before 6.3.4. This > version fixed this particular issue (well, as long as "sslcertck" isn't > enabled, which would deliberately turn the CN mismatch into a fatal > socket errors anyways). Yes indeed... 6.2.5, as shipped with Debian sarge :> *download* *download* *build* *build* Okay, I have 6.3.4 now. Strike that second warning.... --Daniel -- NAME = Daniel Richard G. ## Remember, skunks _\|/_ meef? EMAIL1 = sk...@is... ## don't smell bad--- (/o|o\) / EMAIL2 = sk...@al... ## it's the people who < (^),> WWW = http://www.******.org/ ## annoy them that do! / \ -- (****** = site not yet online) |
