From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 22 Apr 2015 19:26:56 +0000 (+0100)
Subject: UTF8: Cert namechecks always use a-label
X-Git-Tag: exim-4_86_RC1~71
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/4af0d74a886c7fbd4e3eec1743f4b1d2d8a4d457

UTF8: Cert namechecks always use a-label
---

diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index f0490b04a..d446f6b67 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1299,6 +1299,9 @@ the appendfile transport, will have utf8 name.
 Helo names sent by the smtp transport will have any utf8
 components expanded to a-label form.
 
+Any certificate name checks will be done using the a-label
+form of the name.
+
 Log lines and Received-by: header lines will aquire a "utf8"
 prefix on the protocol element, eg. utf8esmtp.
 
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 6162cfa9e..6db7e4a8c 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1785,7 +1785,12 @@ tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
 {
 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
   {
-  state->exp_tls_verify_cert_hostnames = host->name;
+  state->exp_tls_verify_cert_hostnames =
+#ifdef EXPERIMENTAL_INTERNATIONAL
+    string_domain_utf8_to_alabel(host->name, NULL);
+#else
+    host->name;
+#endif
   DEBUG(D_tls)
     debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
 		    state->exp_tls_verify_cert_hostnames);
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 65d608925..530266d36 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1725,7 +1725,12 @@ if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
 
 if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
   {
-  cbinfo->verify_cert_hostnames = host->name;
+  cbinfo->verify_cert_hostnames =
+#ifdef EXPERIMENTAL_INTERNATIONAL
+    string_domain_utf8_to_alabel(host->name, NULL);
+#else
+    host->name;
+#endif
   DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
 		    cbinfo->verify_cert_hostnames);
   }