On Tue, May 31, 2022 at 03:00:48PM +0100, Stuart Henderson wrote: > I've been able to replicate this now, but I'm not seeing any recent > change in behaviour, I've tried with mutt versions going back to 2.0.7 > with the libressl version in 7.1, and on 7.0 with the current version > of mutt in packages for release, and they all behave the same. > > It's not specific to any particular mail server but requires > ssl_usesystemcerts=no. > > Avon: to workaround your problem, remove "set ssl_usesystemcerts=no", > it will then validate against /etc/ssl/cert.pem and avoid asking you > each time. But I don't see what could have changed recently that is > triggering it. > > Test case: > > $ cat .muttrc-test > set certificate_file="~/.mutt_test_certificates" > set pop_host="pops://[email protected]:995" > set ssl_usesystemcerts=no > > $ rm .mutt_test_certificates > $ mutt -F .muttrc-test > > <hit G, "fetch-mail"> > <hit a, "accept always"> > ^C, exit > repeat trying to fetch mail > > With the "ssl_usesystermcerts=no" config, I would expect that mutt would > need to save all of (server, intermediate, CA) certificates to its cert > file, in order that it can verify in future. > > What actually happens is the server certificate is saved, not the CA > or intermediate certificate, and *somehow* the validation succeeds if you > append _any_ self-signed certificate (e.g. tail -25 /etc/ssl/cert.pem >> > .mutt_test_certificates). > > Not sure if this is a Mutt problem or a LibreSSL one. I haven't compared > with a build done against OpenSSL rather than LibreSSL yet (the only > other install I have handy right now is Debian and their Mutt packages > use gnutls instead which don't support setting ssl_usesystemcerts at all). > Brilliant Stuart. Thank you.
Removing "set ssl_usesystemcerts=no" from ~/.muttrc enables me to to fetch-mail from xtra.co.nz again on the M6600 laptop. I do not recall when or why I changed the default setting. It has been there a looong time. Probably years. After I send this, I will return to the laptop and invoke 'mutt -F .muttrc-test', until file .mutt_test_certificates stops growing. It is currently 3639 bytes. Do you want a copy it when it stops growing? I will try my other desktop machines tomorrow. Below is a running log from the laptop based on your test case above. m6600:/home/aer $ cat .muttrc-test set certificate_file="~/.mutt_test_certificates" set pop_host="pops://[email protected]:995" set ssl_usesystemcerts=no m6600:/home/aer $ rm .mutt_test_certificates rm: .mutt_test_certificates: No such file or directory m6600:/home/aer $ mutt -F .muttrc-test ### Needed to create ~/Mail G This certificate belongs to: symphytum.spacehopper.org Unknown Unknown Unknown Unknown Unknown Unknown This certificate was issued by: Buypass Class 2 CA 5 Unknown Buypass AS-983163327 Unknown Unknown Unknown NO This certificate is valid from Feb 14 11:08:09 2022 GMT to Aug 12 21:59:00 2022 GMT SHA1 Fingerprint: 5C30 182D DC3B 03FB 55C5 5175 EFED 3E85 66CE 4815 SHA256 Fingerprint: E369 50E5 FCC6 5E56 C2B4 F47C 3658 1AC4 8FC0 410F DFAE 01CA 1955 CB07 F30E 0C02 a # Displayed on mutt command line: Password for [email protected] ^C y # To exit mutt $ mutt -F .muttrc-test # Error message flashed across screen, too fast to read. # Displayed on mutt command line: Error connecting to server: mail.spacehopper.org E # Switch brain on Avon! # Quit mutt to add 'bind generic E error-history' to ~/.muttrc-test $ mutt -F .muttrc-test # Error message flashed across screen, too fast to read # On mutt command line: Error connecting to server: mail.spacehopper.org E Reading /var/mail/aer... Reading /var/mail/aer... 0 Looking up mail.spacehopper.org... Connecting to mail.spacehopper.org... SSL failed: error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify +failed Error connecting to server: mail.spacehopper.org i q # Then exited from mutt # Invoked 'mutt -F .muttrc-test' 3 more times. Each time, the same # error information as above was output. # # Since we had the same version of mutt and libssl.so.52.0 a few days # ago, a newer snapshot has been installed on my laptop. The above was # performed on the laptop with the newer snapshot. I now have: # kern.version=OpenBSD 7.1-current (GENERIC.MP) #563: Mon May 30 19:14:52 MDT 2022 [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP -r--r--r-- 1 root bin 1509824 May 31 00:56 /usr/lib/libssl.so.52.0 drwxr-xr-x 2 root wheel 512 May 31 20:19 /var/db/pkg/mutt-2.2.5v3-gpgme-sasl -rwxr-xr-x 1 root bin 1318616 May 29 00:37 /usr/local/bin/mutt # With: $ tail -25 /etc/ssl/cert.pem >> .mutt_test_certificates $ mutt -F .muttrc-test G E Reading /var/mail/aer... Reading /var/mail/aer... 0 Looking up mail.spacehopper.org... Connecting to mail.spacehopper.org... SSL failed: error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify +failed Error connecting to server: mail.spacehopper.org Regards -- aer
