this fixes mutt.
The problem is we need num_untrusted set correctly, it is normally
set in the set_xsc_chain call (which is called from a number of places)
but in this case we need to have it set before we can call that.
So just hoist the correct logic before the call to x509_vfy_check_trust
It will also get duplicated in set_xsc_chain which is harmless.
ok?
Index: x509/x509_verify.c
===================================================================
RCS file: /cvs/src/lib/libcrypto/x509/x509_verify.c,v
retrieving revision 1.56
diff -u -p -u -p -r1.56 x509_verify.c
--- x509/x509_verify.c 25 Jun 2022 20:01:43 -0000 1.56
+++ x509/x509_verify.c 25 Jun 2022 21:59:09 -0000
@@ -392,6 +392,9 @@ x509_verify_ctx_validate_legacy_chain(st
/* These may be set in one of the following calls. */
ctx->xsc->error = X509_V_OK;
ctx->xsc->error_depth = 0;
+ ctx->xsc->num_untrusted = sk_X509_num(chain->certs);
+ if (ctx->xsc->num_untrusted > 0)
+ ctx->xsc->num_untrusted--;
trust = x509_vfy_check_trust(ctx->xsc);
if (trust == X509_TRUST_REJECTED)
On Wed, Jun 01, 2022 at 02:56:48PM +0200, Theo Buehler wrote:
> On Tue, May 31, 2022 at 03:00:48PM +0100, Stuart Henderson wrote:
> > I've been able to replicate this now, but I'm not seeing any recent
> > change in behaviour, I've tried with mutt versions going back to 2.0.7
> > with the libressl version in 7.1, and on 7.0 with the current version
> > of mutt in packages for release, and they all behave the same.
> >
> > It's not specific to any particular mail server but requires
> > ssl_usesystemcerts=no.
> >
> > Avon: to workaround your problem, remove "set ssl_usesystemcerts=no",
> > it will then validate against /etc/ssl/cert.pem and avoid asking you
> > each time. But I don't see what could have changed recently that is
> > triggering it.
> >
> > Test case:
> >
> > $ cat .muttrc-test
> > set certificate_file="~/.mutt_test_certificates"
> > set pop_host="pops://test_libressl_is...@mail.spacehopper.org:995"
> > set ssl_usesystemcerts=no
> >
> > $ rm .mutt_test_certificates
> > $ mutt -F .muttrc-test
> >
> > <hit G, "fetch-mail">
> > <hit a, "accept always">
> > ^C, exit
> > repeat trying to fetch mail
> >
> > With the "ssl_usesystermcerts=no" config, I would expect that mutt would
> > need to save all of (server, intermediate, CA) certificates to its cert
> > file, in order that it can verify in future.
> >
> > What actually happens is the server certificate is saved, not the CA
> > or intermediate certificate, and *somehow* the validation succeeds if you
> > append _any_ self-signed certificate (e.g. tail -25 /etc/ssl/cert.pem >>
> > .mutt_test_certificates).
> >
> > Not sure if this is a Mutt problem or a LibreSSL one. I haven't compared
> > with a build done against OpenSSL rather than LibreSSL yet (the only
> > other install I have handy right now is Debian and their Mutt packages
> > use gnutls instead which don't support setting ssl_usesystemcerts at all).
>
> It seems to be another issue with the new verifier. I cannot reproduce
> with mutt linked against eopenssl11 and I cannot reproduce with the
> legacy verifier.
>
> x509_verify_ctx_validate_legacy_chain() fails because PARTIAL_CHAIN
> isn't set and trust is X509_TRUST_UNTRUSTED.
>
> The connection works with the new verifier if the above muttrc is
> extended with 'set ssl_verify_partial_chains=yes'.
