Bug 620978

Summary: Mutt doesn't honor "(a)ccept always" as expected if certificate name doesn't match
Product: [Fedora] Fedora Reporter: Robert Scheck <redhat-bugzilla>
Component: muttAssignee: Honza Horak <hhorak>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: mlichvar, pertusus
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-27 14:24:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
mutt-1.5.20-smtp-ssl.patch none

Description Robert Scheck 2010-08-03 22:01:00 UTC 
Description of problem:
Imagine you've a SMTP relayhost/smarthost with a SSL certificate having the 
common name "mail.servername.tld". If I configure the following in .muttrc:

  set smtp_url="smtp://tux.tld"

and try to send an e-mail via mutt, mutt of course complains that the name
of the hostname doesn't match with the certifiate and offers the following
possibilities.

  (r)eject, accept (o)nce, (a)ccept always

If I choose "(a)ccept always", a copy of the certificate gets saved into the
.mutt/certificate file - as expected. Then I'm quitting mutt and starting it
again. I'm trying to send another e-mail. Unfortunately, I'm getting the same
possibilities as before listed again:

  (r)eject, accept (o)nce, (a)ccept always

If I choose "(a)ccept always" again, the certificate gets saved another (!)
time in .mutt/certificate. That means the certificate is saved there twice.
And if you do this a third time, it's there a third time. Which seems wrong
to me.

I'm expecting, that if I added already the first time an exception by using
the "(a)ccept always", it never should ask me again and just sent the e-mail
silent without bothering the user. That's at least how e.g. Firefox is doing
this right now for exceptions.

Version-Release number of selected component (if applicable):
mutt-1.5.20-2.20091214hg736b6a.i686

How reproducible:
Everytime, see above.

Actual results:
Mutt doesn't honor "(a)ccept always" as expected if certificate name doesn't 
match.

Expected results:
Mutt should honor "(a)ccept always" as expected - even if certificate name 
doesn't match.
Comment 1 Robert Scheck 2010-08-03 22:05:02 UTC 
Created attachment 436392 [details]
mutt-1.5.20-smtp-ssl.patch

Suggestion of the hack which makes things working as I'm expecting them...
Comment 2 Miroslav Lichvar 2010-08-04 07:53:10 UTC 
Please send patches to the upstream list or trac, especially if it's for code we don't use in Fedora package :).
Comment 3 Robert Scheck 2010-08-04 09:26:56 UTC 
Oops, see what you mean. Well, GnuTLS has the same issue, but unfortunately
I took OpenSSL rather GnuTLS for debugging... :(
Comment 4 Robert Scheck 2010-08-24 17:11:18 UTC 
Reported upstream; http://dev.mutt.org/trac/ticket/3345
Comment 5 Fedora Admin XMLRPC Client 2011-02-25 11:01:05 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 Honza Horak 2011-10-27 14:24:12 UTC 
I've just tested this failure with gnutls and openssl using current mutt-1.5.21. The result is, that it works as expected with gnutls but fails with openssl. 

Since mutt is built with gnutls in Fedora, I'm closing this for now and suggesting to follow the upstream bug report on http://dev.mutt.org/trac/ticket/3345. 

Please, feel free to re-open it if you want.