#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
Reporter: kratem32 | Owner: mutt-dev
Type: enhancement | Status: new
Priority: minor | Milestone: 1.8
Component: crypto | Version:
Resolution: | Keywords: tofu
--------------------------+----------------------
Comment (by m-a):
Various finds we may need to look at when we have saved intermediate CA
certificates as 'trusted':
* {{{-partial_chain}}} in
[https://wiki.openssl.org/index.php/Manual:Verify(1)]
* [http://openssl.6102.n7.nabble.com/Unable-to-trust-leaf-Certificate-
td46042.html]
Bottom line, for what we're trying to achieve, if the root itself isn't
trusted, we may need to set {{{X509_V_FLAG_PARTIAL_CHAIN}}} which appears
to have been new in 1.0.2 (which is the oldest OpenSSL version supported
by the upstream). It's under Certificate Verify Flags in
{{{openssl/x509_vfy.h}}}.
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:47>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
