[Users] Correct SSL certificate chain verification on IMAP/NNTP

Colin Leroy colin at colino.net
Wed Apr 23 23:03:29 CEST 2014


Hello,

Since we switched the IMAP (and NNTP) implementations to Libetpan, the
SSL certificate verification has been plagued by a wrong negative on
very correct certificates, displaying "No certificate issuer found"
when the certificate is signed by an intermediate CA not present in the
distribution's list of trusted CAs in /etc/ssl/certs.

The problem was that it wasp possible to get the final certificate
presented from libetpan's API, but not the chain of certificates.

This is of course much more annoying post-Heartbleed.
Hoa and I have implemented the required API in Libetpan to provide
Claws Mail with the chain of certificates, and I've added support of it
in Claws Mail.

If you want, you can either use git and get
git clone https://github.com/dinhviethoa/libetpan
git clone http://git.claws-mail.org/readonly/claws.git 

or use the snapshots at http://www.claws-mail.org/snapshots/

Make sure to uninstall your distro's libetpan(-dev) packages first,
then build libetpan, then Claws Mail.

I'm interested if you get failures or crashes - but you shouldn't.

Thanks !
-- 
Colin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20140423/bc175012/attachment.sig>


More information about the Users mailing list