https://bugzilla.novell.com/show_bug.cgi?id=761503 https://bugzilla.novell.com/show_bug.cgi?id=761503#c2 --- Comment #2 from Ludwig Nussel 2012-07-02 15:42:06 CEST --- any update here? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=761503 https://bugzilla.novell.com/show_bug.cgi?id=761503#c4 Dominique Leuenberger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dimstar@opensuse.org --- Comment #4 from Dominique Leuenberger 2012-07-18 20:33:25 UTC --- The ca-certificates.crt is, as per upstream, indeed not thought to be installed (in fact, make install does NOT copy it). It's targeting WIN32 installs only. The issue for 'us' having this file installed is that we copy the tools folder around. (In reply to comment #1)

certificate verification in claws-mail is broken in multiple ways

1. claws_ssl_get_cert_file() doesn't try any existing bundle file so the included bundle isn't used either

Claws has a list of paths to use (none of which we use too): const char *cert_files[]={ "/etc/pki/tls/certs/ca-bundle.crt", "/etc/certs/ca-bundle.crt", "/usr/share/ssl/certs/ca-bundle.crt", "/etc/ssl/certs/ca-certificates.crt", "/usr/local/ssl/certs/ca-bundle.crt", "/etc/apache/ssl.crt/ca-bundle.crt", "/usr/share/curl/curl-ca-bundle.crt", "/usr/share/curl/curl-ca-bundle.crt", "/usr/lib/ssl/cert.pem", NULL}; I'll extend that list for our package by adding /etc/ssl/ca-bundle.pem (This seems to be the one we use... if we want, upstream agrees to add this to their list as well, so we won't have to carry the patch forever)

2. the return value of gnutls_certificate_verify_peers2() isn't used. Instead claws always runs into the code path for self-signed certificates (ie prompts for confirm)

Will take some time together with upstream to find the best course here

3. claws does not call gnutls_x509_crt_check_hostname() which would make it prone to MITM. Due to 2) that's not a problem though.

Will take some time together with upstream to find the best course here -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=761503 https://bugzilla.novell.com/show_bug.cgi?id=761503#c6 --- Comment #6 from Bernhard Wiedemann 2012-07-22 18:00:07 CEST --- This is an autogenerated message for OBS integration: This bug (761503) was mentioned in https://build.opensuse.org/request/show/128666 Factory / claws-mail -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=761503 https://bugzilla.novell.com/show_bug.cgi?id=761503#c8 Dominique Leuenberger changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |meissner@suse.com --- Comment #8 from Dominique Leuenberger 2012-07-25 21:30:24 UTC --- The general concern of shipping a bundled CA-bundle has been fixed and the path to our own bundle been added. The rest of the issues need to be reported to upstream and be worked out in a clean way. Do we agree to close this bug? (I'll register Ludwig's concerns on the upstream tracker) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=761503 https://bugzilla.novell.com/show_bug.cgi?id=761503#c10 --- Comment #10 from Dominique Leuenberger 2012-07-27 09:41:42 UTC --- Without us kneeling in their neck, it will rot... almost certainly. But communication has been established, which was an important first step. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=761503 https://bugzilla.novell.com/show_bug.cgi?id=761503#c12 Dominique Leuenberger changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED See Also| |http://www.thewildbeast.co. | |uk/claws-mail/bugzilla/show | |_bug.cgi?id=2718 Resolution| |FIXED --- Comment #12 from Dominique Leuenberger 2012-08-05 16:03:25 UTC --- (In reply to comment #1)

certificate verification in claws-mail is broken in multiple ways

1. claws_ssl_get_cert_file() doesn't try any existing bundle file so the included bundle isn't used either

Has been addressed by adding our path to the list

2. the return value of gnutls_certificate_verify_peers2() isn't used. Instead claws always runs into the code path for self-signed certificates (ie prompts for confirm)

Looks like an incorrect statement: gnutls_certificate_verify_peers2 'return' value is a mere success/failure value. The real result is stored in status, which is used in the next function call again. Status is passed down to ssl_certificate_check

3. claws does not call gnutls_x509_crt_check_hostname() which would make it prone to MITM. Due to 2) that's not a problem though.

Reported upstream http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2718 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=761503 https://bugzilla.novell.com/show_bug.cgi?id=761503#c14 Dominique Leuenberger changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |lnussel@suse.com --- Comment #14 from Dominique Leuenberger 2012-08-09 11:37:37 UTC --- Upstream just commited this patchset to address our issue: http://claws-mail.org/tracker/getpatchset.php?ver=3.8.1cvs26 Ludwig: mind to verify if that addresses all concerns? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=761503 https://bugzilla.novell.com/show_bug.cgi?id=761503#c16 --- Comment #16 from Bernhard Wiedemann 2012-08-13 13:00:08 CEST --- This is an autogenerated message for OBS integration: This bug (761503) was mentioned in https://build.opensuse.org/request/show/130714 Factory / claws-mail -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.