#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
Reporter: kratem32 | Owner: mutt-dev
Type: enhancement | Status: new
Priority: minor | Milestone: 1.8
Component: crypto | Version:
Resolution: | Keywords: tofu
--------------------------+----------------------
Comment (by kevin8t8):
Overall it looks good, Matthias. Nice work!
I'm attaching a v3 patch with the following minor changes:
* Create a shared function ssl_set_verify_partial() that is called by both
mutt_ssl_starttls() and ssl_socket_open()
* Revise a comment slightly because there is no more "automatic" skipping
* Add an #ifdef around the OPTSSLVERIFYPARTIAL check in
interactive_check_cert()
kratem32 and pete3215, I would appreciate your feedback about whether this
patch works for you. You should just need to "set
ssl_verify_partial_chains=yes" and leave it that way. If any cert in the
chain is in your $certificate_file, it should verify the whole chain
automatically. If none are, then you will be prompted node by node, but a
new (s)kip option will be available in the prompt.
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:60>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
