#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
Reporter: kratem32 | Owner: mutt-dev
Type: enhancement | Status: new
Priority: minor | Milestone: 1.8
Component: crypto | Version:
Resolution: | Keywords: tofu
--------------------------+----------------------
Comment (by m-a):
We're on the same page, with a few remarks:
* Regarding support of older OpenSSL versions, the assumption is if
someone is using a very old OS they won't need to build a new mutt, or
they can use a local OpenSSL install and link against that instead.
* Correct on the skip modes, with the exception that I believe that the
(s)kip prompt will not stay "for now", but "for a long time to come" (=
many releases)
So, OpenSSL 1.1.0 and the OpenSSL Git master built earlier in 2017 (I
think mid February) both seem fine with {{{X509_V_FLAG_PARTIAL_CHAIN}}}.
Looking at the debug traces shows that our verify callback is invoked
first for the certificate that OpenSSL uses as trust anchor, and with
preverify_ok==1, but if the host certificate itself is in the trust store,
OpenSSL presents the entire chain, with preverify_ok==1. Not sure if that
inconsistency is intentional or an OpenSSL bug, but at least it does not
hurt our purpose.
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:53>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
