Bug#792396: mutt: ssl_ca_certificates_file doesn't work as described in the manual

Tue, 14 Jul 2015 12:42:38 -0700 

Hi Florent,

thanks for the report!

On Tue, Jul 14, 2015 at 02:10:04PM +0200, Florent Daigniere wrote:

> I've recently tried to configure mutt to do TLS certificate pinning... 
> which according to its manual is possible with the 
> ssl_ca_certificates_file option.
> 
> It reads: "This variable specifies a file containing trusted CA 
> certificates.  Any server certificate that is signed with one of these 
> CA certificates is also automatically accepted."
> 
> Unfortunately it doesn't seem to be how it works in practice... I'm 
> not sure if it's the debian patches or an upstream bug.

I can reproduce the behaviour on Fedora with 1.5.23-7.fc22, so probably 
not a Debian specific patch who is to blame.

> Here's how to reproduce:
> 
> mutt -e "set ssl_ca_certificates_file=/dev/null" -f imaps://imap.gmail.com 
> doesn't work (as expected)
> mutt -e "set ssl_ca_certificates_file=/tmp/geotrust.crt" -f 
> imaps://imap.gmail.com works (as expected)
> mutt -e "set ssl_ca_certificates_file=/tmp/google.crt" -f 
> imaps://imap.gmail.com doesn't work (unexpected!)
> 
> The ability to pin intermediate certificates is important for security 
> minded users. Please fix it.

The interesting thing is, that it does not work with OpenSSL on Fedora 
either:
openssl s_client -CAfile /tmp/google.crt -connect imap.gmail.com:imaps
...
    Verify return code: 2 (unable to get issuer certificate)


But works with $randomcert in Debian?!
openssl s_client -CAfile 
/etc/ssl/certs/TURKTRUST_Certificate_Services_Provider_Root_1.pem -connect 
imap.gmail.com:imaps
...
    Verify return code: 0 (ok)


Using GnuTLS (which mutt uses) it seems not to work on both, Debian and 
Fedora:
gnutls-cli --x509cafile /tmp/google.crt imap.gmail.com -p imaps
...
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 

So far for the debugging. Let's see if someone has further ideas.

Regards
Evgeni

-- 
Bruce Schneier can read and understand Perl programs.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to