Wednesday, June 01, 2022

Re: mutt fetch-mail ssl error

On Tue, May 31, 2022 at 03:00:48PM +0100, Stuart Henderson wrote:
> I've been able to replicate this now, but I'm not seeing any recent
> change in behaviour, I've tried with mutt versions going back to 2.0.7
> with the libressl version in 7.1, and on 7.0 with the current version
> of mutt in packages for release, and they all behave the same.
>
> It's not specific to any particular mail server but requires
> ssl_usesystemcerts=no.
>
> Avon: to workaround your problem, remove "set ssl_usesystemcerts=no",
> it will then validate against /etc/ssl/cert.pem and avoid asking you
> each time. But I don't see what could have changed recently that is
> triggering it.
>
> Test case:
>
> $ cat .muttrc-test
> set certificate_file="~/.mutt_test_certificates"
> set pop_host="pops://test_libressl_issue@mail.spacehopper.org:995"
> set ssl_usesystemcerts=no
>
> $ rm .mutt_test_certificates
> $ mutt -F .muttrc-test
>
> <hit G, "fetch-mail">
> <hit a, "accept always">
> ^C, exit
> repeat trying to fetch mail
>
> With the "ssl_usesystermcerts=no" config, I would expect that mutt would
> need to save all of (server, intermediate, CA) certificates to its cert
> file, in order that it can verify in future.
>
> What actually happens is the server certificate is saved, not the CA
> or intermediate certificate, and *somehow* the validation succeeds if you
> append _any_ self-signed certificate (e.g. tail -25 /etc/ssl/cert.pem >>
> .mutt_test_certificates).
>
> Not sure if this is a Mutt problem or a LibreSSL one. I haven't compared
> with a build done against OpenSSL rather than LibreSSL yet (the only
> other install I have handy right now is Debian and their Mutt packages
> use gnutls instead which don't support setting ssl_usesystemcerts at all).
>
Brilliant Stuart. Thank you.

Removing "set ssl_usesystemcerts=no" from ~/.muttrc enables me to
to fetch-mail from xtra.co.nz again on the M6600 laptop. I do not recall
when or why I changed the default setting. It has been there a looong
time. Probably years.

After I send this, I will return to the laptop and invoke
'mutt -F .muttrc-test', until file .mutt_test_certificates stops
growing. It is currently 3639 bytes. Do you want a copy it when it
stops growing?

I will try my other desktop machines tomorrow.

Below is a running log from the laptop based on your test case above.

m6600:/home/aer
$ cat .muttrc-test
set certificate_file="~/.mutt_test_certificates"
set pop_host="pops://test_libressl_issue@mail.spacehopper.org:995"
set ssl_usesystemcerts=no
m6600:/home/aer
$ rm .mutt_test_certificates
rm: .mutt_test_certificates: No such file or directory
m6600:/home/aer
$ mutt -F .muttrc-test
### Needed to create ~/Mail
G
This certificate belongs to:
symphytum.spacehopper.org
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown

This certificate was issued by:
Buypass Class 2 CA 5
Unknown
Buypass AS-983163327
Unknown
Unknown
Unknown
NO

This certificate is valid
from Feb 14 11:08:09 2022 GMT
to Aug 12 21:59:00 2022 GMT

SHA1 Fingerprint: 5C30 182D DC3B 03FB 55C5 5175 EFED 3E85 66CE 4815
SHA256 Fingerprint: E369 50E5 FCC6 5E56 C2B4 F47C 3658 1AC4
8FC0 410F DFAE 01CA 1955 CB07 F30E 0C02
a
# Displayed on mutt command line:
Password for test_libressl_issue@mail.spacehopper.org
^C y # To exit mutt

$ mutt -F .muttrc-test
# Error message flashed across screen, too fast to read.
# Displayed on mutt command line:
Error connecting to server: mail.spacehopper.org
E
# Switch brain on Avon!
# Quit mutt to add 'bind generic E error-history' to ~/.muttrc-test

$ mutt -F .muttrc-test
# Error message flashed across screen, too fast to read
# On mutt command line:
Error connecting to server: mail.spacehopper.org
E
Reading /var/mail/aer...
Reading /var/mail/aer... 0
Looking up mail.spacehopper.org...
Connecting to mail.spacehopper.org...
SSL failed: error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify
+failed
Error connecting to server: mail.spacehopper.org
i
q
# Then exited from mutt

# Invoked 'mutt -F .muttrc-test' 3 more times. Each time, the same
# error information as above was output.

#
# Since we had the same version of mutt and libssl.so.52.0 a few days
# ago, a newer snapshot has been installed on my laptop. The above was
# performed on the laptop with the newer snapshot. I now have:
#
kern.version=OpenBSD 7.1-current (GENERIC.MP) #563: Mon May 30 19:14:52 MDT 2022
deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

-r--r--r-- 1 root bin 1509824 May 31 00:56 /usr/lib/libssl.so.52.0
drwxr-xr-x 2 root wheel 512 May 31 20:19 /var/db/pkg/mutt-2.2.5v3-gpgme-sasl
-rwxr-xr-x 1 root bin 1318616 May 29 00:37 /usr/local/bin/mutt

# With:
$ tail -25 /etc/ssl/cert.pem >> .mutt_test_certificates

$ mutt -F .muttrc-test
G
E
Reading /var/mail/aer...
Reading /var/mail/aer... 0
Looking up mail.spacehopper.org...
Connecting to mail.spacehopper.org...
SSL failed: error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify
+failed
Error connecting to server: mail.spacehopper.org

Regards

--
aer

No comments:

Post a Comment