#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering higher links of the cert' chain --------------------------+---------------------- Reporter: kratem32 | Owner: mutt-dev Type: enhancement | Status: new Priority: minor | Milestone: 1.8 Component: crypto | Version: Resolution: | Keywords: tofu --------------------------+----------------------
Comment (by m-a): We're on the same page, with a few remarks: * Regarding support of older OpenSSL versions, the assumption is if someone is using a very old OS they won't need to build a new mutt, or they can use a local OpenSSL install and link against that instead. * Correct on the skip modes, with the exception that I believe that the (s)kip prompt will not stay "for now", but "for a long time to come" (= many releases) So, OpenSSL 1.1.0 and the OpenSSL Git master built earlier in 2017 (I think mid February) both seem fine with {{{X509_V_FLAG_PARTIAL_CHAIN}}}. Looking at the debug traces shows that our verify callback is invoked first for the certificate that OpenSSL uses as trust anchor, and with preverify_ok==1, but if the host certificate itself is in the trust store, OpenSSL presents the entire chain, with preverify_ok==1. Not sure if that inconsistency is intentional or an OpenSSL bug, but at least it does not hurt our purpose. -- Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:53> Mutt <http://www.mutt.org/> The Mutt mail user agent