Re: RFC: Handling of certificates in Debian
On Fri, Aug 30, 2002 at 06:58:00PM +0100, Andrew McDonald wrote:
> On a similar subject, there seem to be more than a few applications
> that have had "SSL/TLS support" added, but don't do any hostname
> checking against the certificate - leaving you open to
> man-in-the-middle attacks.
(speaking as an offender)
Why is it that TLS libraries don't handle a lot of this
simple validation on behalf of applications?
Why is it that the sample gnutls code doesn't seem to
include this check?
Can you report bugs against broken packages with patches?
It seems like you've contributed a lot of mutt-specific code
to handle certificate validation in the-right-way, but that
the procedure is both generally useful and error-prone so
should be centralized.