I've been able to replicate this now, but I'm not seeing any recent
change in behaviour, I've tried with mutt versions going back to 2.0.7
with the libressl version in 7.1, and on 7.0 with the current version
of mutt in packages for release, and they all behave the same.
It's not specific to any particular mail server but requires
ssl_usesystemcerts=no.
Avon: to workaround your problem, remove "set ssl_usesystemcerts=no",
it will then validate against /etc/ssl/cert.pem and avoid asking you
each time. But I don't see what could have changed recently that is
triggering it.
Test case:
$ cat .muttrc-test
set certificate_file="~/.mutt_test_certificates"
set pop_host="pops://test_libressl_issue@mail.spacehopper.org:995"
set ssl_usesystemcerts=no
$ rm .mutt_test_certificates
$ mutt -F .muttrc-test
<hit G, "fetch-mail">
<hit a, "accept always">
^C, exit
repeat trying to fetch mail
With the "ssl_usesystermcerts=no" config, I would expect that mutt would
need to save all of (server, intermediate, CA) certificates to its cert
file, in order that it can verify in future.
What actually happens is the server certificate is saved, not the CA
or intermediate certificate, and *somehow* the validation succeeds if you
append _any_ self-signed certificate (e.g. tail -25 /etc/ssl/cert.pem >>
.mutt_test_certificates).
Not sure if this is a Mutt problem or a LibreSSL one. I haven't compared
with a build done against OpenSSL rather than LibreSSL yet (the only
other install I have handy right now is Debian and their Mutt packages
use gnutls instead which don't support setting ssl_usesystemcerts at all).
No comments:
Post a Comment