Re: [Mutt] #3229: allow ssl certificates with insecure algorithm if
#3229: allow ssl certificates with insecure algorithm if they are in the cache
-------------------------------+--------------------------------------------
Reporter: antonio@xxxxxxxx | Owner: mutt-dev
Type: defect | Status: new
Priority: minor | Milestone:
Component: crypto | Version: 1.5.19
Resolution: | Keywords:
-------------------------------+--------------------------------------------
Comment(by antonio@xxxxxxxx):
(better correspondence without quotes)
Source file: mutt_ssl_gnutls.c
Function: tls_check_certificate
What we see if that GNUtls classify the certificate as signed with an
insecure algorithm (i.e. setting the GNUTLS_CERT_INSECURE_ALGORITHM bit in
certstat), that bit is not handled, even if the cert is in the cache, that
means that the cert will always be invalid and the user will be asked to
accept it again even if it's in the cache.
From what I see in tls_check_certificate from line 572 to line 595 you
unset all certstat bits if the certificate is in the cache (i.e.
tls_compare_certificates() returned 1), unfortunately you are not handling
the GNUTLS_CERT_INSECURE_ALGORITHM bit causing the side effect described
above.
The attached patch fixes the problem
--
Ticket URL: <http://dev.mutt.org/trac/ticket/3229#comment:1>
Mutt <http://www.mutt.org/>
The Mutt mail user agent