https://bugzilla.novell.com/show_bug.cgi?id=761503
https://bugzilla.novell.com/show_bug.cgi?id=761503#c4
Dominique Leuenberger
certificate verification in claws-mail is broken in multiple ways
1. claws_ssl_get_cert_file() doesn't try any existing bundle file so the included bundle isn't used either
Claws has a list of paths to use (none of which we use too): const char *cert_files[]={ "/etc/pki/tls/certs/ca-bundle.crt", "/etc/certs/ca-bundle.crt", "/usr/share/ssl/certs/ca-bundle.crt", "/etc/ssl/certs/ca-certificates.crt", "/usr/local/ssl/certs/ca-bundle.crt", "/etc/apache/ssl.crt/ca-bundle.crt", "/usr/share/curl/curl-ca-bundle.crt", "/usr/share/curl/curl-ca-bundle.crt", "/usr/lib/ssl/cert.pem", NULL}; I'll extend that list for our package by adding /etc/ssl/ca-bundle.pem (This seems to be the one we use... if we want, upstream agrees to add this to their list as well, so we won't have to carry the patch forever)
2. the return value of gnutls_certificate_verify_peers2() isn't used. Instead claws always runs into the code path for self-signed certificates (ie prompts for confirm)
Will take some time together with upstream to find the best course here
3. claws does not call gnutls_x509_crt_check_hostname() which would make it prone to MITM. Due to 2) that's not a problem though.
Will take some time together with upstream to find the best course here -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.