<<< Date Index >>>     <<< Thread Index >>>

Re: accecepted ssl certificate suddenly not remembered



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thursday, July  9 at 08:24 PM, quoth Rejo Zenger:
> I am running mutt from the official Ubuntu Hardy repository on a 
> x86_64 server. As of today, mutt is no longer able to remember 
> previously accepted SSL certificates and is unable to the 
> certificate_file.

Hmm. Kinda sounds like a certificate problem to me. When does your 
certificate expire? I'm guessing it expired yesterday.

> Then, after closing and restarting mutt, it will show me the 
> certificate again, it will ask me the same question,

This, I think, is the key piece of evidence. Mutt couldn't verify the 
old certificate. Unfortunately, mutt doesn't ever say WHY it couldn't 
verify the old certificate, but the most common reason is that either 
the certificate expired or couldn't be verified for some other reason. 
THIS, I think, is the thing you have to solve.

> but it's no longer possible to save it. It will barf back a warning: 
> "couldn't save certificate".

Interesting... possibly a result of the same problem.

> | read(0, "a", 1)                         = 1

This is mutt seeing that you pressed "a" (for "a"ccept always).

> | open("/home/rejo/.mutt_certificates", O_WRONLY|O_CREAT|O_APPEND, 
> 0666) = 5

This is mutt opening the certificate file for writing/appending, and 
getting it on file-descriptor 5.

> | fstat(5, {st_mode=S_IFREG|0600, st_size=2538, ...}) = 0

The fstat call on it succeeded, reporting the file to be 2538 bytes.

> | fstat(5, {st_mode=S_IFREG|0600, st_size=2538, ...}) = 0

A second fstat (why?) succeeded.

> | lseek(5, 2538, SEEK_SET)                = 2538

Mutt tried to seek to the end of the file.

> | close(5)                                = 0

Then mutt closed the file.

So it's not a permissions problem.

Unfortunately, that doesn't help much. Here's the relevant code in 
mutt (from mutt_ssl.c):

     done = 0;
     if ((fp = fopen (sslCertFile, "a")))
     {
         if (PEM_write_X509 (fp, cert))
             done = 1;
         safe_fclose (&fp);
     }
     if (!done)
     {
         mutt_error (_("Warning: Couldn't save certificate"));
         mutt_sleep (2);
     }

So, in order to get that "couldn't save certificate" error, the 
OpenSSL function PEM_write_X509 must have failed to do its job for 
some reason. (You'd get the same error message from a permissions 
problem, but since the strace shows no signs of a permissions problem,  
we know that's not the issue.) Unfortunately, OpenSSL is not really 
being very helpful because it doesn't give us an opportunity to find 
out exactly what has gone wrong.

My first guess, though, would be that your certificate has expired. I 
believe (though I'd have to check) that sometimes these PEM functions 
will fail if the certificate is expired.

Similar things have happened to me before, though in my case it was 
because my company re-used the webmail ssl certificate for IMAP, and 
webmail.example.com != imap.example.com. But the point is that the 
hostname being different prevented the certificate from being 
validated, which led to a host of problems like this.

~Kyle
- -- 
What greater thing is there for human souls than to feel that they are 
joined for life---to be with each other in silent unspeakable 
memories.
                                                        -- George Eliot
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iQIcBAEBCAAGBQJKVkUAAAoJECuveozR/AWealQQAIp+YY6E8mMG5PiyllWTXns1
08RDLktKMFv7NWtsUnrJztXqZmp3rlZvSDtBfN4DN/KM6iNT6m06EsMWLGpajEAi
KT+JyZzbHm4xdMoZEqLdnEvpyO+uYBV0jHKNlfnLB9YJXFyiG9hEcW4CykWSdiWA
g+2AQ39/AJ5yTjt5m2YEk0ULMLvZvBS52pCpd2ogFKRTjG7U4tzPpX+7n8s5TAw+
ajEsWXoKqTOzEspi4Uho55M12kQJypd8wXLm3JptCwFoBJUDvsGbxtjEQ2E7UaVO
9o5olNbQIMRy3rgHySBESkbVUGSKERVvTYbH5Sw5i5i641oL/gSffX8u+4Fti26b
w+6uddMb2268rHk83YD4qkuYRsqXUZj4OXPGa08Xz5OqA6Ozmfr16+dRm54uFWkd
V6UhhPBXFC8fflj4TXXwblyWxrWc/tqSFKepcS66g9J2QNM84U6RPbSwQbNuGBvm
ijSafKGUgqidz+zkNM1VM/tSH0wCw3WpJky4oHo5COoEJOMFUhUYa8SPrGXDwnr1
jkH0UxLFGYMRour+e4IebD20o0RlqFvQiPE529dtgFQODYssiNce9JP0lGGXLPd1
eUeIH21UU7smAXbCtkNHYotutXJOSRMxrVf2Fmx7cAlJCS983WEDnG/hDkn2VnwJ
E/Qd2h8HkisZ/L/VNUA2
=VTjV
-----END PGP SIGNATURE-----