<<< Date Index >>>     <<< Thread Index >>>

[Mutt] #3228: allow ssl certificates with insecure algorithm if they are in the cache



#3228: allow ssl certificates with insecure algorithm if they are in the cache
------------------------------+---------------------------------------------
 Reporter:  antonio@xxxxxxxx  |       Owner:  mutt-dev
     Type:  defect            |      Status:  new     
 Priority:  minor             |   Milestone:          
Component:  crypto            |     Version:  1.5.19  
 Keywords:                    |  
------------------------------+---------------------------------------------
 Forwarding from http://bugs.debian.org/

 ---
 {{{
 Source file: mutt_ssl_gnutls.c
 Function: tls_check_certificate

 What we see if that GNUtls classify the certificate as signed with an
 insecure algorithm (i.e. setting the GNUTLS_CERT_INSECURE_ALGORITHM bit in
 certstat), that bit is not handled, even if the cert is in the cache, that
 means that the cert will always be invalid and the user will be asked to
 accept it again even if it's in the cache.

 From what I see in tls_check_certificate from line 572 to line 595 you
 unset all certstat bits if the certificate is in the cache (i.e.
 tls_compare_certificates() returned 1), unfortunately you are not handling
 the GNUTLS_CERT_INSECURE_ALGORITHM bit causing the side effect described
 above.

 The attached patch fix the problem
 }}}

 Cheers
 Antonio

-- 
Ticket URL: <http://dev.mutt.org/trac/ticket/3228>
Mutt <http://www.mutt.org/>
The Mutt mail user agent