On Sun, Apr 19, 2026 at 03:36:05PM +0200, Matthias Andree via Mutt-dev wrote:
Am 18.04.26 um 17:42 schrieb Kevin J. McCarthy:On Sat, Apr 18, 2026 at 09:27:59PM +0800, Kevin J. McCarthy wrote:
kevin/stable-security-08 Abort if there are DNS entries but
For #8 I need to check the RFC myself, so if anyone with OpenSSL code experience wants to confirm that would be welcome.Re #8, it's been a while since I'd read the standards (RFC 5280 and 6125), but what's in the OP matches my recollection. I find the check plausible and correct. There might be improperly issued certificates afoot (I've also seen even some CA issue certificates with serial number 0, which wolfSSL would reject) so with that change merged, mutt starts rejecting certificates - that don't repeat or pattern match the CN in the SAN - that it used to accept, so this should be announced as a "breaking change" in the NEWS.
Thanks Matthias.I wonder if this change is high enough priority to include in stable branch then. Does anyone have thoughts on the severity of the impact of mutt matching against CN when none of the DNS entries match?
If it is important, I'll add an entry to NEWS for the stable release. But if this it just a "we're techincally incorrect but it's not a huge issue", perhaps I should apply to master instead.
-- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
