I just switched our SSL certificates to newer ones (they used intermediate certificates before as well). Before, I didn't need to accept or save the certificates as long as $ssl_ca_certificates_file was set to the system bundle (which has at least the root certificate in the chain, based on the fingerprint). Since upgrading, though, I'm prompted to accept *all* certificates in the chain when connecting via IMAP.
Does the extra "anchor" cause a problem, or is there some other problem I'm missing? The chain, as reported by openssl s_client -connect [host]:993: Certificate chain 0 s:/C=US/postalCode=XXXXXXXX i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root $ mutt -D | egrep "ssl|certificate" certificate_file="~/.mutt_certificates" smime_certificates="" ssl_ca_certificates_file="/etc/pki/tls/certs/ca-bundle.crt" ssl_client_cert="" ssl_force_tls is unset ssl_min_dh_prime_bits=0 ssl_starttls=yes ssl_use_sslv3 is set ssl_use_tlsv1 is set ssl_verify_dates is set ssl_verify_host is set $ mutt -v Mutt 1.5.20 (2009-12-10) Copyright (C) 1996-2009 Michael R. Elkins and others. Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'. Mutt is free software, and you are welcome to redistribute it under certain conditions; type `mutt -vv' for details. System: Linux 2.6.18-400.el5 (x86_64) ncurses: ncurses 5.5.20060715 (compiled with 5.5) libidn: 0.6.5 (compiled with 0.6.5) hcache backend: Sleepycat Software: Berkeley DB 4.3.29: (May 26, 2010) Compile options: -DOMAIN -DEBUG -HOMESPOOL -USE_SETGID +USE_DOTLOCK -DL_STANDALONE +USE_FCNTL -USE_FLOCK +USE_POP +USE_IMAP +USE_SMTP -USE_SSL_OPENSSL +USE_SSL_GNUTLS +USE_SASL +USE_GSS +HAVE_GETADDRINFO +HAVE_REGCOMP -USE_GNU_REGEX +HAVE_COLOR +HAVE_START_COLOR +HAVE_TYPEAHEAD +HAVE_BKGDSET +HAVE_CURS_SET +HAVE_META +HAVE_RESIZETERM +CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME -CRYPT_BACKEND_GPGME -EXACT_ADDRESS -SUN_ATTACHMENT +ENABLE_NLS -LOCALES_HACK +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET +HAVE_LANGINFO_YESEXPR +HAVE_ICONV -ICONV_NONTRANS +HAVE_LIBIDN +HAVE_GETSID +USE_HCACHE ISPELL="/usr/bin/hunspell" SENDMAIL="/usr/sbin/sendmail" MAILPATH="/var/mail" PKGDATADIR="/usr/share/mutt" SYSCONFDIR="/etc" EXECSHELL="/bin/sh" -MIXMASTER To contact the developers, please mail to <mutt-...@mutt.org>. To report a bug, please visit http://bugs.mutt.org/.
