Re: IMAP certificate warning
- From: Carlos Morgado <chbm chbm nu>
- To: Balsa List <balsa-list gnome org>
- Subject: Re: IMAP certificate warning
- Date: Fri, 9 Nov 2001 10:20:54 +0000
On 2001.11.09 09:11:22 +0000 Brian Stafford wrote:
> Sorry about the late reply, my mail was off line yesterday afternoon!
> I guess you know what is in the next paragraph but I'll say it anyway :)
> Regarding validation of the server certificate in a client; the SSL/TLS
> protocol will supply the server certificate to the client. The default
> validation callback in OpenSSL handles the typical case reasonably, however
> if it cannot verify the certificate based on the trusted CAs or the cert is
> self signed or is otherwise inconsistent, the call to SSL_connect() will
aparently this is not the case. Toralf has a 'real' cert
> fail and no TLS session is established. For this reason, it might be
> useful to supply a custom validation callback which accepts any certificate
> for establishing a connection, this will allow SSL_connect() to succeed
> with unknown CAs etc. Either way, SSL_get_verify_result() can then be used
> to decide whether to proceed; even with the default callback there are
> conditions where some clients might not accept a certificate that is
> otherwise acceptable to OpenSSL.
the openssl callback stuff looks yucky to me. maybe i don't understand the
> End of stating the obvious ;)
> What I suspect is happening is that Balsa does not have a list of trusted
> top level CAs and hence is unable to verify that the official certificate
> is genuine. If you look for starttls_create_ctx() in smtp-tls.c (with the
> libESMTP distro) you will see my approach to setting up the trusted CA
> list. I guess libmutt does something similar.
> Part the problem here is that OpenSSL (AFAIK) has no system wide structure
> for configuring CRLs, CA certifictates etc. so every application does its
> own thing. It is possible that the top level CAs are set up for another
> app. but balsa (or libESMTP for that matter) has no idea where they are,
> even if the other app is an OpenSSL one. Another problem is that certs are
oh. crap crap crap. i my disgust for openssl grows everyday.
> stored in PEM format which is simple but not used by most CAs. This means
> most punters will have a problem installing the CA certificate - worse, it
> has to be done for every app. Since some apps will try to use more
hum. mutt does have a 'always accept this cert' option in the user iteraction
> conventional certificate formats than PEM installation is a nightmare -
> convert to format for app a, store in directory for app a - convert to
> format for app b ... you get the picture.
> A thought occurrs to me. I noticed the GNU TLS suite mentioned on
> Freshmeat the other day. Perhaps we should look into this for TLS in our
> (L)GPLed programs; if we got in soon enough it might be in time to solve
> the certificate management side of things on a system wide basis. Thoughts?
aparently it uses libgcrypt which should be a good thing. is supporting only
tls and ssl3 bad ? is ssl2 still used ?
as i said before, i'm seriously looking at religthing the NSS candle in
Carlos Morgado - chbm(at)chbm(dot)nu - http://chbm.nu/ -- gpgkey: 0x1FC57F0A
http://wwwkeys.pgp.net/ FP:0A27 35D3 C448 3641 0573 6876 2A37 4BB2 1FC5 7F0A
Software is like sex; it's better when it's free. - Linus Torvalds
] [Thread Prev