Re: IMAP certificate warning

From: Carlos Morgado <chbm chbm nu>
To: Balsa List <balsa-list gnome org>
Subject: Re: IMAP certificate warning
Date: Fri, 9 Nov 2001 10:20:54 +0000

On 2001.11.09 09:11:22 +0000 Brian Stafford wrote:

> 
> Sorry about the late reply, my mail was off line yesterday afternoon!
> 
> I guess you know what is in the next paragraph but I'll say it anyway :)
> ===
> 
> Regarding validation of the server certificate in a client; the SSL/TLS 
> protocol will supply the server certificate to the client.  The default 
> validation callback in OpenSSL handles the typical case reasonably, however 
> if it cannot verify the certificate based on the trusted CAs or the cert is 
> self signed or is otherwise inconsistent, the call to SSL_connect() will

aparently this is not the case. Toralf has a 'real' cert

> fail and no TLS session is established.  For this reason, it might be 
> useful to supply a custom validation callback which accepts any certificate 
> for establishing a connection, this will allow SSL_connect() to succeed 
> with unknown CAs etc.  Either way, SSL_get_verify_result() can then be used 
> to decide whether to proceed; even with the default callback there are 
> conditions where some clients might not accept a certificate that is 
> otherwise acceptable to OpenSSL.
> 
the openssl callback stuff looks yucky to me. maybe i don't understand the 
paradigm :)

> ===
> End of stating the obvious ;)
> 
> What I suspect is happening is that Balsa does not have a list of trusted 
> top level CAs and hence is unable to verify that the official certificate 
> is genuine.  If you look for starttls_create_ctx() in smtp-tls.c (with the 
> libESMTP distro) you will see my approach to setting up the trusted CA 
> list.  I guess libmutt does something similar.
> 
SSL_CTX_new

> Part the problem here is that OpenSSL (AFAIK) has no system wide structure 
> for configuring CRLs, CA certifictates etc. so every application does its 
> own thing.  It is possible that the top level CAs are set up for another 
> app. but balsa (or libESMTP for that matter) has no idea where they are, 
> even if the other app is an OpenSSL one.  Another problem is that certs are

oh. crap crap crap. i my disgust for openssl grows everyday.

> stored in PEM format which is simple but not used by most CAs.  This means 
> most punters will have a problem installing the CA certificate - worse, it 
> has to be done for every app.  Since some apps will try to use more

hum. mutt does have a 'always accept this cert' option in the user iteraction

> conventional certificate formats than PEM installation is a nightmare - 
> convert to format for app a, store in directory for app a - convert to 
> format for app b ... you get the picture.
> 
*barf*

> 
> A thought occurrs to me.  I noticed the GNU TLS suite mentioned on 
> Freshmeat the other day.  Perhaps we should look into this for TLS in our 
> (L)GPLed programs; if we got in soon enough it might be in time to solve 
> the certificate management side of things on a system wide basis.  Thoughts?
> 

aparently it uses libgcrypt which should be a good thing. is supporting only
tls and ssl3 bad ? is ssl2 still used ?

as i said before, i'm seriously looking at religthing the NSS candle in
mutt .. 
-- 
Carlos Morgado - chbm(at)chbm(dot)nu - http://chbm.nu/ -- gpgkey: 0x1FC57F0A
http://wwwkeys.pgp.net/ FP:0A27 35D3 C448 3641 0573 6876 2A37 4BB2 1FC5 7F0A
Software is like sex; it's better when it's free. - Linus Torvalds

Follow-Ups:
- Re: IMAP certificate warning
  - From: Brian Stafford

References:
- IMAP certificate warning
  - From: Toralf Lund
- Re: IMAP certificate warning
  - From: Pawel Salek
- Re: IMAP certificate warning
  - From: Carlos Morgado
- Re: IMAP certificate warning
  - From: Brian Stafford

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]