src/plugins/vcalendar/vcal_folder.c has this: #if LIBCURL_VERSION_NUM >= 0x070a00 curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYPEER, 0); curl_easy_setopt(curl_ctx, CURLOPT_SSL_VERIFYHOST, 0); #endif This is basically allowing any kind of man in the middle attack. Please fix.
Changes related to this bug have been committed. Please check latest Git and update the bug accordingly. You can also get the patch from: http://git.claws-mail.org/ ++ ChangeLog 2014-04-21 14:48:03.583507242 +0200 http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=1dcb028ecd64f44d96ce3bb1e00a1a8316ec1d1d Merge: ea9e88b e31ec07 Author: Colin Leroy <colin@colino.net> Date: Mon Apr 21 14:48:03 2014 +0200 Merge branch 'master' of file:///home/git/claws http://git.claws-mail.org/?p=claws.git;a=commitdiff;h=e31ec07076724b7674db10da03ff959312ff7129 Author: Colin Leroy <colin@colino.net> Date: Mon Apr 21 14:46:29 2014 +0200 Fix bug #3105, "vCal plugin via https does not check SSL peer certificates or host" Add a preference to disable SSL certificate verification.