Am 12.02.2017 um 00:04 schrieb Kevin J. McCarthy:
> On Thu, Feb 09, 2017 at 10:56:36PM +0000, isdtor wrote:
>>> What I hear you saying is that *with* the expired imap.google.com
>>> certificate, you are getting a prompt for an expired Google G2 cert
>>> (the 2nd in the chain). But without the expired imap.google.com you
>>> are getting no prompt. Is that right?
>> That is correct. With only two certs in the local store and no cert
>> for imap.google.com present, it proceeds straight to the password
>> prompt. It's like the actual server cert is considered optional
>> because the rest of the chain checks out.
> Hi isdtor,
>
> So, after some research it seems there is a warning about this issue in
> the SSL_CTX_load_verify_locations man page.
>
> The attached patch seems to fix the problem for me: it filters out
> expired certs for the initial verification/chain construction. The
> entire $certificate_file is still used in the verification callback if
> needed, but is just filtered from OpenSSL's trusted stored.
>
> I'd appreciate if you could give this a try.
>
All this certificate handling apparently introduces memory leaks. I
first tried to get a hold of them with clang's address sanitizer, which
seems somehow handicapped on Ubuntu 16.04, but valgrind seems useful
enough even if it hogs down performance even more.
