On Wed, Jun 01, 2022 at 02:56:48PM +0200, Theo Buehler wrote:
> On Tue, May 31, 2022 at 03:00:48PM +0100, Stuart Henderson wrote:
> > I've been able to replicate this now, but I'm not seeing any recent
> > change in behaviour, I've tried with mutt versions going back to 2.0.7
> > with the libressl version in 7.1, and on 7.0 with the current version
> > of mutt in packages for release, and they all behave the same.
> >
> > It's not specific to any particular mail server but requires
> > ssl_usesystemcerts=no.
> >
> > Avon: to workaround your problem, remove "set ssl_usesystemcerts=no",
> > it will then validate against /etc/ssl/cert.pem and avoid asking you
> > each time. But I don't see what could have changed recently that is
> > triggering it.
> >
> > Test case:
> >
> > $ cat .muttrc-test
> > set certificate_file="~/.mutt_test_certificates"
> > set pop_host="pops://test_libressl_issue@mail.spacehopper.org:995"
> > set ssl_usesystemcerts=no
> >
> > $ rm .mutt_test_certificates
> > $ mutt -F .muttrc-test
> >
> > <hit G, "fetch-mail">
> > <hit a, "accept always">
> > ^C, exit
> > repeat trying to fetch mail
> >
> > With the "ssl_usesystermcerts=no" config, I would expect that mutt would
> > need to save all of (server, intermediate, CA) certificates to its cert
> > file, in order that it can verify in future.
> >
> > What actually happens is the server certificate is saved, not the CA
> > or intermediate certificate, and *somehow* the validation succeeds if you
> > append _any_ self-signed certificate (e.g. tail -25 /etc/ssl/cert.pem >>
> > .mutt_test_certificates).
> >
> > Not sure if this is a Mutt problem or a LibreSSL one. I haven't compared
> > with a build done against OpenSSL rather than LibreSSL yet (the only
> > other install I have handy right now is Debian and their Mutt packages
> > use gnutls instead which don't support setting ssl_usesystemcerts at all).
>
> It seems to be another issue with the new verifier. I cannot reproduce
> with mutt linked against eopenssl11 and I cannot reproduce with the
> legacy verifier.
>
> x509_verify_ctx_validate_legacy_chain() fails because PARTIAL_CHAIN
> isn't set and trust is X509_TRUST_UNTRUSTED.
>
> The connection works with the new verifier if the above muttrc is
> extended with 'set ssl_verify_partial_chains=yes'.
>
Thank you Theo. That is good to know.
I will leave 'set ssl_usesystemcerts' at it's default setting for now as
advised by Stuart. I may remove it from my ~/.muttrc and use
'set ssl_verify_partial_chains=yes' in the future, however; if changing
immediately would be useful, tell me and I will change it.
When I have time I will familiarise myself further with ssl(3) and
and openssl(1).
Regards
--
aer
No comments:
Post a Comment