#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering higher links of the cert' chain --------------------------+---------------------- Reporter: kratem32 | Owner: mutt-dev Type: enhancement | Status: new Priority: minor | Milestone: 1.8 Component: crypto | Version: Resolution: | Keywords: tofu --------------------------+----------------------
Comment (by m-a): So, to conclude my proposals, I have written the improvement code and offer it in two forms. Both are incremental to attachment:ticket-3916 -clear-errs-v2.patch - so this one needs to be used for either. We cannot forgo the skip code because otherwise we will not reinstate the "feature" to trust a certificate further down the chain. I've tested with OpenSSL 1.0.1u, the $ssl_verify_partial_chains option gets disabled properly there in line with Kevin's comment:52, I've documented it as such, and I do not suggest that we go any further with mutt code for 1.0.1 compatibility since 1.0.1 is EOL and for other reasons in my comment:53. For easier review, I am proposing attachment:ticket-3916-partial- incremental.patch because it makes it easier to see what changed over the quadoption patch. For publication, in order to avoid confusing history, I am proposing attachment:ticket-3916-partial-squashed.patch instead which adds the Boolean option directly. For testers, choose to either: * apply 3 patches, (1) attachment:ticket-3916-clear-errs-v2.patch, (2) attachment:ticket-3916-verify-partial-quadoption.patch, (3) attachment:ticket-3916-partial-incremental.patch or * apply 2 patches, (1) attachment:ticket-3916-clear-errs-v2.patch, (2) attachment:ticket-3916-partial-squashed.patch -- Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:54> Mutt <http://www.mutt.org/> The Mutt mail user agent