On 2017-07-12 11:14:36 +0200, Olaf Hering wrote: > On Wed, Jul 12, Vincent Lefevre wrote: > > > This might mean that Mutt was hanging on certificate checking with > > OpenSSL, but with GnuTLS, certificate checking doesn't work at all > > on your machine, which is a quite serious security issue. > > The exact message is "Warning: Server certificate was signed using an > insecure algorithm". According to strace mutt does not seem to open any > cert related system files. Not sure what this actually means.
Then the reason is: https://www.gnutls.org/manual/html_node/Digital-signatures.html#Trading-security-for-interoperability "If you connect to a server and use GnuTLS' functions to verify the certificate chain, and get a GNUTLS_CERT_INSECURE_ALGORITHM validation error (see Verifying X.509 certificate paths), it means that somewhere in the certificate chain there is a certificate signed using RSA-MD2 or RSA-MD5. These two digital signature algorithms are considered broken, so GnuTLS fails verifying the certificate." I wonder whether OpenSSL does something about these algorithms. There are two possibilities: 1. OpenSSL does not complain (in which case it can be regarded as insecure), and the hang is due to some later issue. 2. There's some failure with OpenSSL due to the use of these algorithms, but Mutt cannot handle it correctly. You might want to see where Mutt hangs with OpenSSL. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
