Claws mail and SSL certificates
Anders Wegge Keller
wegge at wegge.dk
Thu Jul 24 20:24:39 UTC 2014
bitlord <bitlord0xff at gmail.com> writes:
> On Thu, 2014-07-24 at 07:43 +0200, Anders Wegge Keller wrote:
> > results in a complete verification of the certificate chain, ending
> > with the root CA. The root ca is include in ca-certificates, so I
> > would expect Claws to check there, rather than bothering me with
> > accepting the same certificate over and over again. I cannot see any
> > obvious way to tell claws where to look for root certificates, so I'm
> > not sure if this is an intended (mis)feature, or it's a bug.
> Depends on the version of claws-mail and libetpan, >=claws-mail-3.10 and
> compiled with >=libetpan-1.4 (or 1.4.1) is able to properly verify
> certificate chain, previous versions don't. On f20 it works fine after
> upgrade (claws-mail-3.10.1 is available, and libetpan-1.5 from updates
> repo).
After an upgrade to fc20, I still see the same behaviour. Doing an
strace at claws-mail, I find that the CA store is read:
open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = 27
fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0
fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5ca4d67000
read(27, "-----BEGIN CERTIFICATE-----\nMIID"..., 237568) =
Using openssl with the -CAfile option:
openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt \
-connect rollo.jernurt.dk:465 -verify 10
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 3zqC63tmwY0q4Q1r, C = DK, CN = rollo.jernurt.dk, emailAddress = postmaster at jernurt.dk
verify return:1
...
Start Time: 1406233112
Timeout : 300 (sec)
Verify return code: 0 (ok)
So clearly, the certificate chain should be verifiable. But still
claws complains that the Certificate is unknown.
[awj at localhost ~]$ rpm -q claws-mail libetpan
claws-mail-3.10.1-1.fc20.x86_64
libetpan-1.5-1.fc20.x86_64
--
/Wegge
Leder efter redundant peering af dk.*,linux.debian.*
More information about the users
mailing list