#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
  Reporter:  kratem32     |      Owner:  mutt-dev
      Type:  enhancement  |     Status:  new
  Priority:  minor        |  Milestone:  1.8
 Component:  crypto       |    Version:
Resolution:               |   Keywords:  tofu
--------------------------+----------------------

Comment (by m-a):

 So, to conclude my proposals, I have written the improvement code and
 offer it in two forms. Both are incremental to attachment:ticket-3916
 -clear-errs-v2.patch - so this one needs to be used for either.

 We cannot forgo the skip code because otherwise we will not reinstate the
 "feature" to trust a certificate further down the chain.

 I've tested with OpenSSL 1.0.1u, the $ssl_verify_partial_chains option
 gets disabled properly there in line with Kevin's comment:52, I've
 documented it as such, and I do not suggest that we go any further with
 mutt code for 1.0.1 compatibility since 1.0.1 is EOL and for other reasons
 in my comment:53.

 For easier review, I am proposing attachment:ticket-3916-partial-
 incremental.patch​ because it makes it easier to see what changed over the
 quadoption patch.

 For publication, in order to avoid confusing history, I am proposing
 attachment:ticket-3916-partial-squashed.patch​ instead which adds the
 Boolean option directly.

 For testers, choose to either:
  * apply 3 patches, (1) attachment:ticket-3916-clear-errs-v2.patch, (2)
 attachment:ticket-3916-verify-partial-quadoption.patch, (3)
 attachment:ticket-3916-partial-incremental.patch​
 or
  * apply 2 patches, (1) attachment:ticket-3916-clear-errs-v2.patch, (2)
 attachment:ticket-3916-partial-squashed.patch​

--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:54>
Mutt <http://www.mutt.org/>
The Mutt mail user agent

Reply via email to