#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
Reporter: kratem32 | Owner: mutt-dev
Type: enhancement | Status: closed
Priority: minor | Milestone: 1.8
Component: crypto | Version:
Resolution: fixed | Keywords: tofu
--------------------------+----------------------
Comment (by kevin8t8):
Well, Mutt is skipping it and returning true, telling OpenSSL the
certificate is verified. But for some reason OpenSSL is sometimes calling
the verify callback with the same certificate again. Since they pass
preverify_ok=1 the second time, from OpenSSL's point of view there is no
harm.
One workaround might be adding a static variable for the last pos. If
skip_mode && last_pos == pos
then log a duplicate and return true. This starts to get a bit more hacky
than I like.
Another workaround would be to just get rid of the (s)kip prompt and tell
people to manage their certificate files manually if they want to use
partial chains.
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:68>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
