#3916: Mutt 1.8: TOFU approach bails out on first fail or reject, not offering
higher links of the cert' chain
--------------------------+----------------------
Reporter: kratem32 | Owner: mutt-dev
Type: enhancement | Status: new
Priority: minor | Milestone: 1.8
Component: crypto | Version:
Resolution: | Keywords: tofu
--------------------------+----------------------
Comment (by kevin8t8):
Hi Matthias,
Thanks for taking a look!
For the "enhanced" functionality requested by the ticket, you would
normally set ssl_verify_partial_chains=yes.
The ask-yes/ask-no settings are only useful for saving parts of the chain
to the certificate file. Once you've done that, they are not helpful
because (as you reported) OpenSSL still doesn't verify earlier parts of
the chain, and the "ask" setting prompts you.
So I would retry #2, with the host certificate already saved, with
ssl_verify_partial_chains=yes.
kratem32 saw the first issue in comment:26. I couldn't duplicate it, and
kratem32 mentioned he could not either in comment:35. The behavior is
strange, because we've returned "true" from the callback. I'm not sure
why OpenSSL would pass it again.
I'm not too concerned about this, because with
ssl_verify_partial_chains=yes you won't notice it. But if this is an
issue, I suppose we could somehow cache skipped certificates.
--
Ticket URL: <https://dev.mutt.org/trac/ticket/3916#comment:45>
Mutt <http://www.mutt.org/>
The Mutt mail user agent
