Greetings,
On Wed, Jan 30, 2013 at 03:29:27AM -0500, grarpamp wrote:
I'm looking through the manual and I'm not seeing where I can:
1) Specify, in the fixed muttrc configuration, a sha1 certificate
fingerprint that must match on a per host basis before continuing
with the connection.
This is not supported directly, but here is what you can do:
$certificate_file contains the certs that you have accepted
permanently via the SSL/TLS dialog. So if you verify the
certificate fingerprint during the initial connection, that cert
will go into your certificate store.
However, this will not prevent the cert chain from validating with
a *different* certificate. So if you need that feature, after you
have accepted the cert as described above, you want to make sure
to prevent mutt from using any other certs:
unset ssl_ca_certificates_file
unset ssl_usesystemcerts
2) Additionally, and optionally, validate the cert presented by any
ssl/tls (or starttls upgraded) connection back to the respective
root ca using a per host cert/bundle file linked to from a muttrc.
You could do this probably with an account-hook and setting
$ssl_ca_certificates_file and ensuring that $ssl_usesystemcerts is
unset.
me
