On Tue, May 31, 2022 at 03:00:48PM +0100, Stuart Henderson wrote: > I've been able to replicate this now, but I'm not seeing any recent > change in behaviour, I've tried with mutt versions going back to 2.0.7 > with the libressl version in 7.1, and on 7.0 with the current version > of mutt in packages for release, and they all behave the same. > > It's not specific to any particular mail server but requires > ssl_usesystemcerts=no. > > Avon: to workaround your problem, remove "set ssl_usesystemcerts=no", > it will then validate against /etc/ssl/cert.pem and avoid asking you > each time. But I don't see what could have changed recently that is > triggering it. > > Test case: > > $ cat .muttrc-test > set certificate_file="~/.mutt_test_certificates" > set pop_host="pops://test_libressl_is...@mail.spacehopper.org:995" > set ssl_usesystemcerts=no > > $ rm .mutt_test_certificates > $ mutt -F .muttrc-test > > <hit G, "fetch-mail"> > <hit a, "accept always"> > ^C, exit > repeat trying to fetch mail > > With the "ssl_usesystermcerts=no" config, I would expect that mutt would > need to save all of (server, intermediate, CA) certificates to its cert > file, in order that it can verify in future. > > What actually happens is the server certificate is saved, not the CA > or intermediate certificate, and *somehow* the validation succeeds if you > append _any_ self-signed certificate (e.g. tail -25 /etc/ssl/cert.pem >> > .mutt_test_certificates). > > Not sure if this is a Mutt problem or a LibreSSL one. I haven't compared > with a build done against OpenSSL rather than LibreSSL yet (the only > other install I have handy right now is Debian and their Mutt packages > use gnutls instead which don't support setting ssl_usesystemcerts at all).
It seems to be another issue with the new verifier. I cannot reproduce with mutt linked against eopenssl11 and I cannot reproduce with the legacy verifier. x509_verify_ctx_validate_legacy_chain() fails because PARTIAL_CHAIN isn't set and trust is X509_TRUST_UNTRUSTED. The connection works with the new verifier if the above muttrc is extended with 'set ssl_verify_partial_chains=yes'.
