Re: Claws mail and SSL certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

bitlord <bitlord0xff@xxxxxxxxx> writes:

> On Thu, 2014-07-24 at 07:43 +0200, Anders Wegge Keller wrote:

> >  results in a complete verification of the certificate chain, ending
> > with the root CA. The root ca is include in ca-certificates, so I
> > would expect Claws to check there, rather than bothering me with
> > accepting the same certificate over and over again. I cannot see any
> > obvious way to tell claws where to look for root certificates, so I'm
> > not sure if this is an intended (mis)feature, or it's a bug.

> Depends on the version of claws-mail and libetpan, >=claws-mail-3.10 and
> compiled with >=libetpan-1.4 (or 1.4.1) is able to properly verify
> certificate chain, previous versions don't. On f20 it works fine after
> upgrade (claws-mail-3.10.1 is available, and libetpan-1.5 from updates
> repo).

 After an upgrade to fc20, I still see the same behaviour. Doing an
strace at claws-mail, I find that the CA store is read:

open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = 27
fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0
fstat(27, {st_mode=S_IFREG|0444, st_size=240762, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5ca4d67000
read(27, "-----BEGIN CERTIFICATE-----\nMIID"..., 237568) =

 Using openssl with the -CAfile option:

    openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt \
     -connect rollo.jernurt.dk:465 -verify 10

depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 description = 3zqC63tmwY0q4Q1r, C = DK, CN = rollo.jernurt.dk, emailAddress = postmaster@xxxxxxxxxx
verify return:1

...


    Start Time: 1406233112
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


 So clearly, the certificate chain should be verifiable. But still
claws complains that the Certificate is unknown. 

[awj@localhost ~]$ rpm -q claws-mail libetpan
claws-mail-3.10.1-1.fc20.x86_64
libetpan-1.5-1.fc20.x86_64

-- 
/Wegge

Leder efter redundant peering af dk.*,linux.debian.*
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux