When acessing my mail, news or whatever from Claws Mail, I invariably get at message, telling that the SSL certificate is unknown. However, connecting to the same server with
openssl s_client -connect rollo.jernurt.dk:993 -verify 5
results in a complete verification of the certificate chain, ending with the root CA. The root ca is include in ca-certificates, so I would expect Claws to check there, rather than bothering me with accepting the same certificate over and over again. I cannot see any obvious way to tell claws where to look for root certificates, so I'm not sure if this is an intended (mis)feature, or it's a bug.
On Thu, 2014-07-24 at 07:43 +0200, Anders Wegge Keller wrote:
When acessing my mail, news or whatever from Claws Mail, I invariably get at message, telling that the SSL certificate is unknown. However, connecting to the same server with
openssl s_client -connect rollo.jernurt.dk:993 -verify 5
results in a complete verification of the certificate chain, ending with the root CA. The root ca is include in ca-certificates, so I would expect Claws to check there, rather than bothering me with accepting the same certificate over and over again. I cannot see any obvious way to tell claws where to look for root certificates, so I'm not sure if this is an intended (mis)feature, or it's a bug.
-- /Wegge
Leder efter redundant peering af dk.*,linux.debian.*
Depends on the version of claws-mail and libetpan, >=claws-mail-3.10 and compiled with >=libetpan-1.4 (or 1.4.1) is able to properly verify certificate chain, previous versions don't. On f20 it works fine after upgrade (claws-mail-3.10.1 is available, and libetpan-1.5 from updates repo).
bitlord bitlord0xff@gmail.com writes:
Depends on the version of claws-mail and libetpan, >=claws-mail-3.10 and compiled with >=libetpan-1.4 (or 1.4.1) is able to properly verify certificate chain, previous versions don't. On f20 it works fine after upgrade (claws-mail-3.10.1 is available, and libetpan-1.5 from updates repo).
Okay, time to upgrade then. I'm running F19 with claws 3.9.3 and libetpan 1.1. Thanks for the info.
On Thu, 2014-07-24 at 08:53 +0200, Anders Wegge Keller wrote:
bitlord bitlord0xff@gmail.com writes:
Depends on the version of claws-mail and libetpan, >=claws-mail-3.10 and compiled with >=libetpan-1.4 (or 1.4.1) is able to properly verify certificate chain, previous versions don't. On f20 it works fine after upgrade (claws-mail-3.10.1 is available, and libetpan-1.5 from updates repo).
Okay, time to upgrade then. I'm running F19 with claws 3.9.3 and libetpan 1.1. Thanks for the info. -- /Wegge
Leder efter redundant peering af dk.*,linux.debian.*
Also you can test it from 'updates-testing' repo in f19 https://admin.fedoraproject.org/updates/FEDORA-2014-6774 with command like this (or similar) (It will probably pull in latest libetpan as a dependency, if not, you can add it to the list (you probably know how to do it ;-) # yum --enablerepo updates-testing update claws-mail*
bitlord bitlord0xff@gmail.com writes:
On Thu, 2014-07-24 at 07:43 +0200, Anders Wegge Keller wrote:
results in a complete verification of the certificate chain, ending with the root CA. The root ca is include in ca-certificates, so I would expect Claws to check there, rather than bothering me with accepting the same certificate over and over again. I cannot see any obvious way to tell claws where to look for root certificates, so I'm not sure if this is an intended (mis)feature, or it's a bug.
Depends on the version of claws-mail and libetpan, >=claws-mail-3.10 and compiled with >=libetpan-1.4 (or 1.4.1) is able to properly verify certificate chain, previous versions don't. On f20 it works fine after upgrade (claws-mail-3.10.1 is available, and libetpan-1.5 from updates repo).
After an upgrade to fc20, I still see the same behaviour. Doing an strace at claws-mail, I find that the CA store is read:
open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = 27 fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0 fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5ca4d67000 read(27, "-----BEGIN CERTIFICATE-----\nMIID"..., 237568) =
Using openssl with the -CAfile option:
openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt \ -connect rollo.jernurt.dk:465 -verify 10
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA verify return:1 depth=0 description = 3zqC63tmwY0q4Q1r, C = DK, CN = rollo.jernurt.dk, emailAddress = postmaster@jernurt.dk verify return:1
...
Start Time: 1406233112 Timeout : 300 (sec) Verify return code: 0 (ok)
So clearly, the certificate chain should be verifiable. But still claws complains that the Certificate is unknown.
[awj@localhost ~]$ rpm -q claws-mail libetpan claws-mail-3.10.1-1.fc20.x86_64 libetpan-1.5-1.fc20.x86_64
-
Anders Wegge Keller -
Branko Grubic