Bug 3105

Summary: vcal plugin via https does not check SSL peer certificates or host
Product: Claws Mail (GTK 2) Reporter: Marcus Meissner <meissner>
Component: Plugins/vCalendarAssignee: users
Status: RESOLVED FIXED    
Severity: normal    
Priority: P3    
Version: 3.9.3   
Hardware: PC   
OS: Linux   

Description Marcus Meissner 2014-03-11 09:27:31 UTC 
src/plugins/vcalendar/vcal_folder.c

has this:

#if LIBCURL_VERSION_NUM >= 0x070a00
        curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYPEER, 0);
        curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYHOST, 0);
#endif

This is basically allowing any kind of man in the middle attack.


Please fix.
Comment 1 users 2014-04-21 14:48:03 UTC 
Changes related to this bug have been committed.
Please check latest Git and update the bug accordingly.
You can also get the patch from:
http://git.claws-mail.org/

++ ChangeLog	2014-04-21 14:48:03.583507242 +0200
http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=1dcb028ecd64f44d96ce3bb1e00a1a8316ec1d1d
Merge: ea9e88b e31ec07
Author: Colin Leroy <colin@colino.net>
Date:   Mon Apr 21 14:48:03 2014 +0200

    Merge branch 'master' of file:///home/git/claws

http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e31ec07076724b7674db10da03ff959312ff7129
Author: Colin Leroy <colin@colino.net>
Date:   Mon Apr 21 14:46:29 2014 +0200

    Fix bug #3105, "vCal plugin via https does not check SSL peer certificates or host"
    Add a preference to disable SSL certificate verification.