#3903: Rework OpenSSL certificate verification to support alternative chains
--------------------------+----------------------
Reporter: kempniu | Owner: mutt-dev
Type: enhancement | Status: closed
Priority: minor | Milestone:
Component: crypto | Version:
Resolution: fixed | Keywords:
--------------------------+----------------------
Changes (by Michał Kępień <mutt@…>):
* status: new => closed
* resolution: => fixed
Comment:
In [changeset:"b985c324932b2758b21012ef8f61a6017367798c"
6890:b985c324932b]:
{{{
#!CommitTicketReference repository=""
revision="b985c324932b2758b21012ef8f61a6017367798c"
Rework OpenSSL certificate verification to support alternative chains.
(closes #3903)
The way Mutt currently verifies SSL certificates using OpenSSL does
not support alternative chains, which may cause confusion when some
popular mail providers (e.g. Gmail) are used with specific sets of
trusted CA certificates.
Replace the "manual" verification done by mutt in
check_certificate_by_signer() with SSL_set_verify() using a callback.
OpenSSL then does the certificate verification, including properly
looking at alternative chains. The callback still provides the
opportunity to override using ~/.mutt_certificates or an interactive
prompt.
}}}
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3903#comment:8>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
