Re: Claws mail and SSL certificates

Thu, 24 Jul 2014 13:45:31 -0700 

bitlord <[email protected]> writes:

> On Thu, 2014-07-24 at 07:43 +0200, Anders Wegge Keller wrote:

> >  results in a complete verification of the certificate chain, ending
> > with the root CA. The root ca is include in ca-certificates, so I
> > would expect Claws to check there, rather than bothering me with
> > accepting the same certificate over and over again. I cannot see any
> > obvious way to tell claws where to look for root certificates, so I'm
> > not sure if this is an intended (mis)feature, or it's a bug.

> Depends on the version of claws-mail and libetpan, >=claws-mail-3.10 and
> compiled with >=libetpan-1.4 (or 1.4.1) is able to properly verify
> certificate chain, previous versions don't. On f20 it works fine after
> upgrade (claws-mail-3.10.1 is available, and libetpan-1.5 from updates
> repo).

 After an upgrade to fc20, I still see the same behaviour. Doing an
strace at claws-mail, I find that the CA store is read:

open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = 27
fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0
fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f5ca4d67000
read(27, "-----BEGIN CERTIFICATE-----\nMIID"..., 237568) =

 Using openssl with the -CAfile option:

    openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt \
     -connect rollo.jernurt.dk:465 -verify 10

depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN 
= StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN 
= StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 3zqC63tmwY0q4Q1r, C = DK, CN = rollo.jernurt.dk, 
emailAddress = [email protected]
verify return:1

...


    Start Time: 1406233112
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


 So clearly, the certificate chain should be verifiable. But still
claws complains that the Certificate is unknown. 

[awj@localhost ~]$ rpm -q claws-mail libetpan
claws-mail-3.10.1-1.fc20.x86_64
libetpan-1.5-1.fc20.x86_64

-- 
/Wegge

Leder efter redundant peering af dk.*,linux.debian.*
-- 
users mailing list
[email protected]
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Reply via email to