Re: [Mutt] #3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering higher links of the cert' chain

Sun, 26 Feb 2017 18:38:23 -0800 

#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
  Reporter:  kratem32     |      Owner:  mutt-dev
      Type:  enhancement  |     Status:  new
  Priority:  minor        |  Milestone:  1.8
 Component:  crypto       |    Version:
Resolution:               |   Keywords:  tofu
--------------------------+----------------------

Comment (by kratem32):

 Here are the relevant logfiles produced by running mutt with -d3 (latest
 patch included)

 First connection (empty cert file, CA cert skipped, host cert accepted)

 {{{

 [2017-02-26 15:38:12] Connecting to mail.XXX.de...
 [2017-02-26 15:38:12] ssl_load_certificates: loading trusted certificates
 [2017-02-26 15:38:12] ssl_socket_open: Error loading trusted certificates
 [2017-02-26 15:38:12] ssl_verify_callback: checking cert chain entry
 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (preverify: 0
 skipmode: 0)
 [2017-02-26 15:38:12] X509_verify_cert: unable to get local issuer
 certificate (20)
 [2017-02-26 15:38:16] ssl interactive_check_cert: done=2
 [2017-02-26 15:38:16] ssl_verify_callback: checking cert chain entry
 /CN=XXX.de (preverify: 1 skipmode: 1)
 [2017-02-26 15:38:16] ssl_verify_callback: hostname check passed
 [2017-02-26 15:38:16] X509_verify_cert: unable to get local issuer
 certificate (20)
 [2017-02-26 15:38:18] Certificate saved
 [2017-02-26 15:38:18] ssl_cache_trusted_cert: trusted
 [2017-02-26 15:38:18] ssl interactive_check_cert: done=2
 [2017-02-26 15:38:18] TLSv1.2 connection using TLSv1/SSLv3 (DHE-RSA-AES256
 -GCM-SHA384)
 }}}




 Second connection (host cert available, CA cert skipped)

 {{{

 [2017-02-26 15:49:33] Connecting to mail.XXX.de...
 [2017-02-26 15:49:33] ssl_load_certificates: loading trusted certificates
 [2017-02-26 15:49:33] ssl_verify_callback: checking cert chain entry
 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 (preverify: 0
 skipmode: 0)
 [2017-02-26 15:49:33] X509_verify_cert: unable to get local issuer
 certificate (20)
 [2017-02-26 15:49:35] ssl interactive_check_cert: done=2
 [2017-02-26 15:49:35] ssl_verify_callback: checking cert chain entry
 /CN=XXX.de (preverify: 1 skipmode: 1)
 [2017-02-26 15:49:35] ssl_verify_callback: hostname check passed
 [2017-02-26 15:49:35] ssl_verify_callback: digest check passed
 [2017-02-26 15:49:35] TLSv1.2 connection using TLSv1/SSLv3 (DHE-RSA-AES256
 -GCM-SHA384)
 }}}

--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:36>
Mutt <http://www.mutt.org/>
The Mutt mail user agent

Reply via email to