Claws mail and SSL certificates

Anders Wegge Keller wegge at wegge.dk
Thu Jul 24 20:24:39 UTC 2014 

bitlord <bitlord0xff at gmail.com> writes:

> On Thu, 2014-07-24 at 07:43 +0200, Anders Wegge Keller wrote:

> >  results in a complete verification of the certificate chain, ending
> > with the root CA. The root ca is include in ca-certificates, so I
> > would expect Claws to check there, rather than bothering me with
> > accepting the same certificate over and over again. I cannot see any
> > obvious way to tell claws where to look for root certificates, so I'm
> > not sure if this is an intended (mis)feature, or it's a bug.

> Depends on the version of claws-mail and libetpan, >=claws-mail-3.10 and
> compiled with >=libetpan-1.4 (or 1.4.1) is able to properly verify
> certificate chain, previous versions don't. On f20 it works fine after
> upgrade (claws-mail-3.10.1 is available, and libetpan-1.5 from updates
> repo).

 After an upgrade to fc20, I still see the same behaviour. Doing an
strace at claws-mail, I find that the CA store is read:

open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = 27
fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0
fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5ca4d67000
read(27, "-----BEGIN CERTIFICATE-----\nMIID"..., 237568) =

 Using openssl with the -CAfile option:

    openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt \
     -connect rollo.jernurt.dk:465 -verify 10

depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 3zqC63tmwY0q4Q1r, C = DK, CN = rollo.jernurt.dk, emailAddress = postmaster at jernurt.dk
verify return:1

...


    Start Time: 1406233112
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


 So clearly, the certificate chain should be verifiable. But still
claws complains that the Certificate is unknown. 

[awj at localhost ~]$ rpm -q claws-mail libetpan
claws-mail-3.10.1-1.fc20.x86_64
libetpan-1.5-1.fc20.x86_64

-- 
/Wegge

Leder efter redundant peering af dk.*,linux.debian.*

More information about the users mailing list