On Wed, Jun 01, 2022 at 02:56:48PM +0200, Theo Buehler wrote: > On Tue, May 31, 2022 at 03:00:48PM +0100, Stuart Henderson wrote: > > I've been able to replicate this now, but I'm not seeing any recent > > change in behaviour, I've tried with mutt versions going back to 2.0.7 > > with the libressl version in 7.1, and on 7.0 with the current version > > of mutt in packages for release, and they all behave the same. > > > > It's not specific to any particular mail server but requires > > ssl_usesystemcerts=no. > > > > Avon: to workaround your problem, remove "set ssl_usesystemcerts=no", > > it will then validate against /etc/ssl/cert.pem and avoid asking you > > each time. But I don't see what could have changed recently that is > > triggering it. > > > > Test case: > > > > $ cat .muttrc-test > > set certificate_file="~/.mutt_test_certificates" > > set pop_host="pops://test_libressl_is...@mail.spacehopper.org:995" > > set ssl_usesystemcerts=no > > > > $ rm .mutt_test_certificates > > $ mutt -F .muttrc-test > > > > <hit G, "fetch-mail"> > > <hit a, "accept always"> > > ^C, exit > > repeat trying to fetch mail > > > > With the "ssl_usesystermcerts=no" config, I would expect that mutt would > > need to save all of (server, intermediate, CA) certificates to its cert > > file, in order that it can verify in future. > > > > What actually happens is the server certificate is saved, not the CA > > or intermediate certificate, and *somehow* the validation succeeds if you > > append _any_ self-signed certificate (e.g. tail -25 /etc/ssl/cert.pem >> > > .mutt_test_certificates). > > > > Not sure if this is a Mutt problem or a LibreSSL one. I haven't compared > > with a build done against OpenSSL rather than LibreSSL yet (the only > > other install I have handy right now is Debian and their Mutt packages > > use gnutls instead which don't support setting ssl_usesystemcerts at all). > > It seems to be another issue with the new verifier. I cannot reproduce > with mutt linked against eopenssl11 and I cannot reproduce with the > legacy verifier. > > x509_verify_ctx_validate_legacy_chain() fails because PARTIAL_CHAIN > isn't set and trust is X509_TRUST_UNTRUSTED. > > The connection works with the new verifier if the above muttrc is > extended with 'set ssl_verify_partial_chains=yes'. >
Thank you Theo. That is good to know. I will leave 'set ssl_usesystemcerts' at it's default setting for now as advised by Stuart. I may remove it from my ~/.muttrc and use 'set ssl_verify_partial_chains=yes' in the future, however; if changing immediately would be useful, tell me and I will change it. When I have time I will familiarise myself further with ssl(3) and and openssl(1). Regards -- aer
