> Do you have $ssl_usesystemcerts set, and is your system properly
> set up with a system certificate store? Or, are you working completely
> off your $certificate_file?
It is unset and I'm working off the local file. There is a commented entry
pointing to the system cert file, but I don't recall if I ever used this
setting or why I changed it. The last change date on the file is November 2015.
> Do you have $ssl_verify_dates set?
According to mutt -Q, yes.
> What are the validity dates for your "CN=Google G2, Issuer=Geotrust"
> certificate in local store? Is that cert actually expired, or is the
> prompt incorrect?
It is valid:
Data:
Version: 3 (0x2)
Serial Number: 146066 (0x23a92)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Validity
Not Before: Apr 1 00:00:00 2015 GMT
Not After : Dec 31 23:59:59 2017 GMT
Subject: C=US, O=Google Inc, CN=Google Internet Authority G2
> Last, would you mind creating debug logs (at level -d 2) for the two
> cases you mention happening in default tip: with the expired
> imap.google.com certificate (i.e. your local certificate file has three
> entries), and without the expired imap.google.com certificate.
Attached. "muttdebug0-expired" is the log of using a certificates file with the
expired imap.google.com cert. It prompts for (r)eject or accept (o)nce. I chose
the second option and got an SSL failed: I/O error. "muttdebug0-2certs" is the
debug log when using a certificates file with only two certs in it, CN=GeoTrust
issued by OU=Equifax, valid until Aug 21 04:00:00 2018 GMT, and CN=Google
Internet Authority G2, Issued by CN=GeoTrust Global CA, valid until Dec 31
23:59:59 2017 GMT.
> What I hear you saying is that *with* the expired imap.google.com
> certificate, you are getting a prompt for an expired Google G2 cert
> (the 2nd in the chain). But without the expired imap.google.com you
> are getting no prompt. Is that right?
That is correct. With only two certs in the local store and no cert for
imap.google.com present, it proceeds straight to the password prompt. It's
like the actual server cert is considered optional because the rest of the
chain checks out.
[2017-02-09 22:36:30] Mutt/1.7.2+40 (fca7e504ab6a) (2016-11-26) debugging at
level 2
[2017-02-09 22:36:30] In mutt_reflow_windows
[2017-02-09 22:36:30] In mutt_reflow_windows
[2017-02-09 22:36:30] Reading configuration file '/home/isdtor/.mutt/gmail.rc'.
[2017-02-09 22:36:30] Reading configuration file '/home/isdtor/.mutt/aliases'.
[2017-02-09 22:36:30] Reading configuration file
'/home/isdtor/.mutt/common-vars.rc'.
[2017-02-09 22:36:30] Reading configuration file
'/home/isdtor/.mutt/term/xterm'.
[2017-02-09 22:36:30] Reading configuration file '/home/isdtor/.mutt/gpg.rc'.
[2017-02-09 22:36:30] Reading imaps://imap.gmail.com:993/...
[2017-02-09 22:36:30] Looking up imap.gmail.com...
[2017-02-09 22:36:38] Connecting to imap.gmail.com...
[2017-02-09 22:36:38] ssl_verify_callback: checking cert chain entry
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA (preverify: 0)
[2017-02-09 22:36:38] ssl_verify_callback: digest check passed
[2017-02-09 22:36:38] ssl_verify_callback: checking cert chain entry
/C=US/O=Google Inc/CN=Google Internet Authority G2 (preverify: 0)
[2017-02-09 22:36:38] Server certificate has expired[2017-02-09 22:36:38]
Server certificate has expired
[2017-02-09 22:36:40] X509_verify_cert: certificate has expired (10)
[2017-02-09 22:37:17] ssl_cache_trusted_cert: trusted
[2017-02-09 22:37:17] ssl interactive_check_cert: done=2
[2017-02-09 22:37:17] ssl_verify_callback: checking cert chain entry
/C=US/O=Google Inc/CN=Google Internet Authority G2 (preverify: 1)
[2017-02-09 22:37:17] ssl_verify_callback: using cached certificate
[2017-02-09 22:37:17] ssl_verify_callback: checking cert chain entry
/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com (preverify:
1)
[2017-02-09 22:37:17] ssl_verify_callback: hostname check passed
[2017-02-09 22:37:17] SSL failed: I/O error
[2017-02-09 22:37:18] Connected to imap.gmail.com:993 on fd=-1
[2017-02-09 22:26:18] Mutt/1.7.2+40 (fca7e504ab6a) (2016-11-26) debugging at
level 2
[2017-02-09 22:26:18] In mutt_reflow_windows
[2017-02-09 22:26:18] In mutt_reflow_windows
[2017-02-09 22:26:18] Reading configuration file '/home/isdtor/.mutt/gmail.rc'.
[2017-02-09 22:26:18] Reading configuration file '/home/isdtor/.mutt/aliases'.
[2017-02-09 22:26:18] Reading configuration file
'/home/isdtor/.mutt/common-vars.rc'.
[2017-02-09 22:26:18] Reading configuration file
'/home/isdtor/.mutt/term/xterm'.
[2017-02-09 22:26:18] Reading configuration file '/home/isdtor/.mutt/gpg.rc'.
[2017-02-09 22:26:19] Reading imaps://imap.gmail.com:993/...
[2017-02-09 22:26:19] Looking up imap.gmail.com...
[2017-02-09 22:26:27] Connecting to imap.gmail.com...
[2017-02-09 22:26:27] ssl_verify_callback: checking cert chain entry
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA (preverify: 0)
[2017-02-09 22:26:27] ssl_verify_callback: digest check passed
[2017-02-09 22:26:27] ssl_verify_callback: checking cert chain entry
/C=US/O=Google Inc/CN=Google Internet Authority G2 (preverify: 1)
[2017-02-09 22:26:27] ssl_verify_callback: checking cert chain entry
/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com (preverify:
1)
[2017-02-09 22:26:27] ssl_verify_callback: hostname check passed
[2017-02-09 22:26:27] TLSv1.2 connection using TLSv1/SSLv3
(ECDHE-RSA-AES128-GCM-SHA256)
[2017-02-09 22:26:28] Connected to imap.gmail.com:993 on fd=4
[2017-02-09 22:26:28] 4< * OK Gimap ready for requests from <my public ip>
t14mb375071947eda
[2017-02-09 22:26:28] 4> a0000 CAPABILITY
[2017-02-09 22:26:28] 4< * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA
ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN
AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH
[2017-02-09 22:26:28] 4< a0000 OK Thats all she wrote! t14mb375071947eda
[2017-02-09 22:26:28] imap_authenticate: Using any available method.
[2017-02-09 22:26:28] SASL local ip: 192.168.1.5;52102, remote
ip:209.85.202.108;993
[2017-02-09 22:26:28] External SSF: 128
[2017-02-09 22:26:28] mutt_sasl_cb_authname: getting authname for
imap.gmail.com:993
[2017-02-09 22:26:28] mutt_sasl_cb_authname: getting user for imap.gmail.com:993
[2017-02-09 22:26:28] mutt_sasl_cb_pass: getting password for
[email protected]@imap.gmail.com:993
[2017-02-09 22:26:35] Authenticating (PLAIN)...
[2017-02-09 22:26:35] 4> a0001 AUTHENTICATE PLAIN
aXNkdG9yQGdtYWlsLmNvbQBpc2R0b3JAZ21haWwuY29tAFBoZWUqbW9vOEY=
[2017-02-09 22:26:35] 4< * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA
ID XLIST CHILDREN X-GM-EXT-1 UIDPLUS COMPRESS=DEFLATE ENABLE MOVE CONDSTORE
ESEARCH UTF8=ACCEPT LIST-EXTENDED LIST-STATUS LITERAL- APPENDLIMIT=35651584
SPECIAL-USE
[2017-02-09 22:26:35] 4< a0001 OK [email protected] authenticated (Success)
[2017-02-09 22:26:35] Communication encrypted at 128 bits
[2017-02-09 22:26:35] 4> a0002 CAPABILITY
a0003 ENABLE UTF8=ACCEPT
a0004 LIST "" ""
[2017-02-09 22:26:36] 4< * CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA
ID XLIST CHILDREN X-GM-EXT-1 UIDPLUS COMPRESS=DEFLATE ENABLE MOVE CONDSTORE
ESEARCH UTF8=ACCEPT LIST-EXTENDED LIST-STATUS LITERAL- APPENDLIMIT=35651584
SPECIAL-USE
[2017-02-09 22:26:36] 4< a0002 OK Success
[2017-02-09 22:26:36] 4< * ENABLED UTF8=ACCEPT
[2017-02-09 22:26:36] Handling ENABLED
[2017-02-09 22:26:36] 4< a0003 OK Success
[2017-02-09 22:26:36] 4< * LIST (\Noselect) "/" "/"
[2017-02-09 22:26:36] 4< a0004 OK Success
[2017-02-09 22:26:36] Selecting INBOX...
[2017-02-09 22:26:36] 4> a0005 SELECT "INBOX"
[2017-02-09 22:26:36] 4< * FLAGS (\Answered \Flagged \Draft \Deleted \Seen
$NotPhishing $Phishing)
[2017-02-09 22:26:36] 4< * OK [PERMANENTFLAGS (\Answered \Flagged \Draft
\Deleted \Seen $NotPhishing $Phishing \*)] Flags permitted.
[2017-02-09 22:26:36] 4< * OK [UIDVALIDITY 645366679] UIDs valid.
[2017-02-09 22:26:36] 4< * 4 EXISTS
[2017-02-09 22:26:36] Handling EXISTS
[2017-02-09 22:26:36] cmd_handle_untagged: New mail in INBOX - 4 messages total.
[2017-02-09 22:26:36] 4< * 0 RECENT
[2017-02-09 22:26:36] 4< * OK [UIDNEXT 83374] Predicted next UID.
[2017-02-09 22:26:36] 4< * OK [HIGHESTMODSEQ 3924367]
[2017-02-09 22:26:36] 4< a0005 OK [READ-WRITE] INBOX selected. (Success)
[2017-02-09 22:26:36] Fetching message headers... 0/4 (0%)
[2017-02-09 22:26:36] 4> a0006 FETCH 1:4 (UID FLAGS INTERNALDATE RFC822.SIZE
BODY.PEEK[HEADER.FIELDS (DATE FROM SUBJECT TO CC MESSAGE-ID REFERENCES
CONTENT-TYPE CONTENT-DESCRIPTION IN-REPLY-TO REPLY-TO LINES LIST-POST X-LABEL)])
[2017-02-09 22:26:36] 4< * 1 FETCH (UID 83370 RFC822.SIZE 5445 INTERNALDATE
"09-Feb-2017 21:51:49 +0000" FLAGS () BODY[HEADER.FIELDS (DATE FROM SUBJECT TO
CC MESSAGE-ID REFERENCES CONTENT-TYPE CONTENT-DESCRIPTION IN-REPLY-TO REPLY-TO
LINES LIST-POST X-LABEL)] {554}
[2017-02-09 22:26:36] imap_read_literal: reading 554 bytes
[2017-02-09 22:26:36] 4< )
[2017-02-09 22:26:36] parse_parameters: `charset="us-ascii"; Format="flowed"'
[2017-02-09 22:26:36] parse_parameter: `charset' = `us-ascii'
[2017-02-09 22:26:36] parse_parameter: `Format' = `flowed'
[2017-02-09 22:26:36] 4< * 2 FETCH (UID 83371 RFC822.SIZE 7035 INTERNALDATE
"09-Feb-2017 22:01:09 +0000" FLAGS () BODY[HEADER.FIELDS (DATE FROM SUBJECT TO
CC MESSAGE-ID REFERENCES CONTENT-TYPE CONTENT-DESCRIPTION IN-REPLY-TO REPLY-TO
LINES LIST-POST X-LABEL)] {596}
[2017-02-09 22:26:36] imap_read_literal: reading 596 bytes
[2017-02-09 22:26:36] 4< )
[2017-02-09 22:26:36] parse_parameters: `charset="us-ascii"'
[2017-02-09 22:26:36] parse_parameter: `charset' = `us-ascii'
[2017-02-09 22:26:36] 4< * 3 FETCH (UID 83372 RFC822.SIZE 7474 INTERNALDATE
"09-Feb-2017 22:03:03 +0000" FLAGS () BODY[HEADER.FIELDS (DATE FROM SUBJECT TO
CC MESSAGE-ID REFERENCES CONTENT-TYPE CONTENT-DESCRIPTION IN-REPLY-TO REPLY-TO
LINES LIST-POST X-LABEL)] {943}
[2017-02-09 22:26:36] imap_read_literal: reading 943 bytes
[2017-02-09 22:26:36] 4< )
[2017-02-09 22:26:36] parse_parameters: `charset="us-ascii"; Format="flowed"'
[2017-02-09 22:26:36] parse_parameter: `charset' = `us-ascii'
[2017-02-09 22:26:36] parse_parameter: `Format' = `flowed'
[2017-02-09 22:26:36] 4< * 4 FETCH (UID 83373 RFC822.SIZE 3983 INTERNALDATE
"09-Feb-2017 22:05:01 +0000" FLAGS () BODY[HEADER.FIELDS (DATE FROM SUBJECT TO
CC MESSAGE-ID REFERENCES CONTENT-TYPE CONTENT-DESCRIPTION IN-REPLY-TO REPLY-TO
LINES LIST-POST X-LABEL)] {602}
[2017-02-09 22:26:36] imap_read_literal: reading 602 bytes
[2017-02-09 22:26:36] 4< )
[2017-02-09 22:26:36] parse_parameters: `charset="us-ascii"; Format="flowed"'
[2017-02-09 22:26:36] parse_parameter: `charset' = `us-ascii'
[2017-02-09 22:26:36] parse_parameter: `Format' = `flowed'
[2017-02-09 22:26:36] 4< a0006 OK Success
[2017-02-09 22:26:36] imap_open_mailbox: msgcount is 4
[2017-02-09 22:26:36] Sorting mailbox...
[2017-02-09 22:26:47] Mailbox is unchanged.
[2017-02-09 22:26:47] Closing connection to imap.gmail.com...
[2017-02-09 22:26:47] 4> a0007 CLOSE
a0008 LOGOUT
[2017-02-09 22:26:47] 4< a0007 OK Returned to authenticated state. (Success)
[2017-02-09 22:26:47] 4< * BYE LOGOUT Requested
[2017-02-09 22:26:47] Handling BYE
[2017-02-09 22:26:47] 4< a0008 OK 73 good day (Success)
