#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
Reporter: kratem32 | Owner: mutt-dev
Type: enhancement | Status: new
Priority: minor | Milestone: 1.8
Component: crypto | Version:
Resolution: | Keywords: tofu
--------------------------+----------------------
Comment (by m-a):
So, to conclude my proposals, I have written the improvement code and
offer it in two forms. Both are incremental to attachment:ticket-3916
-clear-errs-v2.patch - so this one needs to be used for either.
We cannot forgo the skip code because otherwise we will not reinstate the
"feature" to trust a certificate further down the chain.
I've tested with OpenSSL 1.0.1u, the $ssl_verify_partial_chains option
gets disabled properly there in line with Kevin's comment:52, I've
documented it as such, and I do not suggest that we go any further with
mutt code for 1.0.1 compatibility since 1.0.1 is EOL and for other reasons
in my comment:53.
For easier review, I am proposing attachment:ticket-3916-partial-
incremental.patch because it makes it easier to see what changed over the
quadoption patch.
For publication, in order to avoid confusing history, I am proposing
attachment:ticket-3916-partial-squashed.patch instead which adds the
Boolean option directly.
For testers, choose to either:
* apply 3 patches, (1) attachment:ticket-3916-clear-errs-v2.patch, (2)
attachment:ticket-3916-verify-partial-quadoption.patch, (3)
attachment:ticket-3916-partial-incremental.patch
or
* apply 2 patches, (1) attachment:ticket-3916-clear-errs-v2.patch, (2)
attachment:ticket-3916-partial-squashed.patch
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:54>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
