#3758: TLS certificate pinning
-------------------------+----------------------
Reporter: ilf | Owner: mutt-dev
Type: enhancement | Status: new
Priority: major | Milestone:
Component: crypto | Version:
Keywords: |
-------------------------+----------------------
Right now, TLS certificates are verified against X.509. That's common, but
has some drawbacks.
Recently, certificate pinning has gained a lot more prominence, espcially
post-Snowden:
> Traditionally, a TLS client verifies a TLS server's public key using a
certificate chain issued by some public CA. "Pinning" is a way for clients
to obtain increased certainty in server public keys. Clients that employ
pinning check for some constant "pinned" element of the TLS connection
when contacting a particular TLS host.
http://tack.io/draft.html
mpop and msmtp provide an option "tls_fingerprint" to do exactly that:
> Set the fingerprint of a single certificate to accept for TLS. This
certificate will be trusted regardless of its contents. The fingerprint
can be either an SHA1 (recommended) or an MD5 fingerprint in the format
01:23:45:67:…. Use ‘--serverinfo --tls --tls-certcheck=off’ to get the
server certificate fingerprints.
http://mpop.sourceforge.net/doc/mpop.html#tls_005ffingerprint
http://msmtp.sourceforge.net/doc/msmtp.html#tls_005ffingerprint
It would be great for mutt to also get an option ssl_fingerprint for IMAP
and SMTP.
Thanks, and keep up the good work!
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3758>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
