#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
  Reporter:  kratem32     |      Owner:  mutt-dev
      Type:  enhancement  |     Status:  new
  Priority:  minor        |  Milestone:  1.8
 Component:  crypto       |    Version:
Resolution:               |   Keywords:  tofu
--------------------------+----------------------

Comment (by m-a):

 We're on the same page, with a few remarks:

  * Regarding support of older OpenSSL versions, the assumption is if
 someone is using a very old OS they won't need to build a new mutt, or
 they can use a local OpenSSL install and link against that instead.
  * Correct on the skip modes, with the exception that I believe that the
 (s)kip prompt will not stay "for now", but "for a long time to come" (=
 many releases)

 So, OpenSSL 1.1.0 and the OpenSSL Git master built earlier in 2017 (I
 think mid February) both seem fine with {{{X509_V_FLAG_PARTIAL_CHAIN}}}.
 Looking at the debug traces shows that our verify callback is invoked
 first for the certificate that OpenSSL uses as trust anchor, and with
 preverify_ok==1, but if the host certificate itself is in the trust store,
 OpenSSL presents the entire chain, with preverify_ok==1. Not sure if that
 inconsistency is intentional or an OpenSSL bug, but at least it does not
 hurt our purpose.

--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:53>
Mutt <http://www.mutt.org/>
The Mutt mail user agent

Reply via email to