Re: [fetchmail-devel] Workaround for unavoidable SSL CommonName mismatch?

[Daniel R. G. <sk...@iS...>]

On Tue, 2006 May 02 00:52:29 +0200, Matthias Andree wrote:
> 
> Well, there are string list functions inside fetchmail, and these can
> help with the implementation. I wonder if that's useful though - that
> would mean servers behind a load balancer use different common names.

I was thinking of a single DNS name resolving to multiple such hosts, but 
yes, same idea. A really, really badly broken SSL setup }:)

Looking at the code, however, I think I'll probably shy away from that. 
SSL_verify_callback() already has too many levels of indentation, and 
checking against multiple common names would require another one (for a 
nested loop). Someone really should refactor that function....

> Looks good to me (I haven't applied and tested it though yet).
> 
> A tiny bit, the "cname" variables might better be renamed (perhaps to
> "comname" or sslcommonname) to avoid someone (like myself) from assuming
> it might have to do with the DNS CNAME resource record (canonical name).

Excellent point. Will do that.

> Thanks for your work!

Glad to contribute. I'll flesh out the patch, tweak it as advised, and 
submit it when ready.


Sincerely yours,


--Daniel


-- 
NAME   = Daniel Richard G.       ##  Remember, skunks       _\|/_  meef?
EMAIL1 = sk...@is...        ##  don't smell bad---    (/o|o\) /
EMAIL2 = sk...@al...      ##  it's the people who   < (^),>
WWW    = http://www.******.org/  ##  annoy them that do!    /   \
--
(****** = site not yet online)