#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
Reporter: kratem32 | Owner: mutt-dev
Type: enhancement | Status: new
Priority: minor | Milestone: 1.8
Component: crypto | Version:
Resolution: | Keywords: tofu
--------------------------+----------------------
Comment (by kevin8t8):
Hi Matthias,
I agree the quadoption patch requires too much explanation, but still
prefer that over the idea in comment:34 (given the amount of work required
for a small number of users).
However, if {{{X509_V_FLAG_PARTIAL_CHAIN}}} is workable and cleaner that
would be excellent.
I would rather the $ssl_verify_partial_chains option be marked as only
supported by OpenSSL 1.0.2 than change the requirement for all of mutt
just yet.
My understanding of what you are proposing is as follows.
If $ssl_verify_partial_chains=yes:
* Set {{{X509_V_FLAG_PARTIAL_CHAIN}}}
* This should cause OpenSSL to automatically construct a partial chain
using the stored certificates.
* Therefore, we don't need the "automatic skip" code inside
ssl_verify_callback(), because if a node in the chain has preverify_ok=0,
there are no following nodes that will preverify. (Not sure about session
certs though...)
* For now, keep the (s)kip prompt inside interactive_check_cert(), so
that they can choose the particular node in the chain they want to save
during the first connection attempt.
If $ssl_verify_partial_chains=no:
* Behavior just like 1.8.0 release.
* No (s)kip prompt in interactive_check_cert().
If I have time I will play around with this, but most likely won't be able
to until this weekend.
Thank you for your time and effort helping with this issue!
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:52>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
