bitlord <bitlord0xff(a)gmail.com> writes:
On Thu, 2014-07-24 at 07:43 +0200, Anders Wegge Keller wrote:
> results in a complete verification of the certificate chain,
ending
> with the root CA. The root ca is include in ca-certificates, so I
> would expect Claws to check there, rather than bothering me with
> accepting the same certificate over and over again. I cannot see any
> obvious way to tell claws where to look for root certificates, so I'm
> not sure if this is an intended (mis)feature, or it's a bug.
Depends on the version of claws-mail and libetpan,
>=claws-mail-3.10 and
compiled with >=libetpan-1.4 (or 1.4.1) is able to properly verify
certificate chain, previous versions don't. On f20 it works fine after
upgrade (claws-mail-3.10.1 is available, and libetpan-1.5 from updates
repo).
After an upgrade to fc20, I still see the same behaviour. Doing an
strace at claws-mail, I find that the CA store is read:
open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = 27
fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0
fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5ca4d67000
read(27, "-----BEGIN CERTIFICATE-----\nMIID"..., 237568) =
Using openssl with the -CAfile option:
openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt \
-connect rollo.jernurt.dk:465 -verify 10
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom
Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom
Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 3zqC63tmwY0q4Q1r, C = DK, CN = rollo.jernurt.dk, emailAddress =
postmaster(a)jernurt.dk
verify return:1
...
Start Time: 1406233112
Timeout : 300 (sec)
Verify return code: 0 (ok)
So clearly, the certificate chain should be verifiable. But still
claws complains that the Certificate is unknown.
[awj@localhost ~]$ rpm -q claws-mail libetpan
claws-mail-3.10.1-1.fc20.x86_64
libetpan-1.5-1.fc20.x86_64
--
/Wegge
Leder efter redundant peering af dk.*,linux.debian.*