diff options
| author | Matthias Andree <matthias.andree@gmx.de> | 2009-01-22 12:11:16 +0000 |
|---|---|---|
| committer | Matthias Andree <matthias.andree@gmx.de> | 2009-01-22 12:11:16 +0000 |
| commit | 4691082c9b0659476e919bd7a8a30ec1b5537a7c (patch) | |
| tree | 7af723caa9b77b25c8819f42f8432d777e5824dc /socket.c | |
| parent | af7d73c7ab76ad81fed78b7f5c024daf1af87d9d (diff) | |
| download | fetchmail-4691082c9b0659476e919bd7a8a30ec1b5537a7c.tar.gz fetchmail-4691082c9b0659476e919bd7a8a30ec1b5537a7c.tar.bz2 fetchmail-4691082c9b0659476e919bd7a8a30ec1b5537a7c.zip | |
case-insensitive check of SSL fingerprints (Daniel Richard G.)
Daniel Richard G. writes:
| I was clearing out an old Fetchmail SVN checkout I had lying around
| here, and came across one small change that I forgot to send in.
|
| In socket.c, there's a bit of code that compares SSL certificate
| fingerprints: [...]
|
| That strcmp() call should be an strcasecmp(). At one point, I
| encountered a certificate where the fingerprint's hex digits were in a
| different case than what was expected, and the connection attempt failed
| because of that. Not exactly what you'd call a potential MitM attack
| :-)
He's right, we can compare case-insensitively without sacrificing
fetchmail's security, so let's just do that for the sake of ease of use.
svn path=/branches/BRANCH_6-3/; revision=5262
Diffstat (limited to 'socket.c')
| -rw-r--r-- | socket.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -717,7 +717,7 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) if (outlevel > O_NORMAL) report(stdout, GT_("%s key fingerprint: %s\n"), _server_label, text); if (_check_digest != NULL) { - if (strcmp(text, _check_digest) == 0) { + if (strcasecmp(text, _check_digest) == 0) { if (outlevel > O_NORMAL) report(stdout, GT_("%s fingerprints match.\n"), _server_label); } else { |