957542 – SSL certificate check occurs everytime despite choosing 'accept always'

Bug 957542 - SSL certificate check occurs everytime despite choosing 'accept always'

Summary: SSL certificate check occurs everytime despite choosing 'accept always'

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	mutt
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Honza Horak
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-28 21:51 UTC by Lokesh Mandvekar
Modified:	2014-07-01 22:59 UTC (History)
CC List:	7 users (show)
Fixed In Version:	mutt-1.5.21-20.fc19
Clone Of:
Environment:
Last Closed:	2013-06-07 02:58:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lokesh Mandvekar 2013-04-28 21:51:12 UTC

Description of problem: on launching mutt, it waits for user to manually accept certificate everytime, selecting "accept always" doesn't work. 


Version-Release number of selected component (if applicable): 1.5.21


How reproducible: always


Steps to Reproduce:
1. Launch mutt

  
Actual results: Certificate details displayed, waits for user to accept. This is also observed when the user sends an email.


Expected results: once 'accept always' is selected, it shouldn't prompt the user again, (as long as the certificate remains the same atleast)


Additional info: I observed this while conencting to gmail, unsure if it's gmail specific.

Comment 1 Jiri Cerny 2013-05-06 12:56:51 UTC

I confirm this issue. It occurs with my university account, e.g. it is not gmail specific.

Comment 2 Dominik 'Rathann' Mierzejewski 2013-05-29 09:32:05 UTC

Note that this is happens on F19, too, but not on F18. Probably caused by this commit: http://pkgs.fedoraproject.org/cgit/mutt.git/commit/?h=f19&id=422b1495da5cba34449990520377066d46ba3742 (i.e. package revision 18).

Comment 3 Dominik 'Rathann' Mierzejewski 2013-05-29 09:42:40 UTC

This part of mutt-1.5.21-verpeers.patch is wrong:
+- gnutls_certificate_status certstat;
++ int verify_ret;
++ unsigned int status;
+
+- certstat = gnutls_certificate_verify_peers (tlsstate);
+- if (!certstat)
+- return certstat;
++ verify_ret = gnutls_certificate_verify_peers2 (tlsstate, &status);
++ if (!verify_ret)
++ return status;
+ 
+- if (certstat == GNUTLS_E_NO_CERTIFICATE_FOUND)
++ if (status == GNUTLS_E_NO_CERTIFICATE_FOUND)
+ {
+ mutt_error (_("Unable to get certificate from peer"));
+ mutt_sleep (2);
+ return 0;
+ }
+- if (certstat < 0)
++ if (verify_ret < 0)
and so on.

status should be of type enum gnutls_certificate_status_t and the checks should be for GNUTLS_CERT_INVALID in the first condition and >0 in the second, if I'm reading the code correctly.

Comment 4 Dominik 'Rathann' Mierzejewski 2013-05-29 11:17:35 UTC

Apparently I'm reading it wrong, disregard comment #3, please.

Comment 5 Honza Horak 2013-05-29 13:38:25 UTC

Thanks for reporting. It seems the issue was introduced by patch for #750929. Build mutt-1.5.21-20.fc19 should fix the issue, it will be available in couple of minutes.

Comment 6 Fedora Update System 2013-05-29 13:48:08 UTC

mutt-1.5.21-20.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/mutt-1.5.21-20.fc18

Comment 7 Fedora Update System 2013-05-29 13:48:08 UTC

mutt-1.5.21-20.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-8745/mutt-1.5.21-20.fc19

Comment 8 Fedora Update System 2013-05-29 17:45:02 UTC

Package mutt-1.5.21-20.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing mutt-1.5.21-20.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8745/mutt-1.5.21-20.fc19
then log in and leave karma (feedback).

Comment 9 Dominik 'Rathann' Mierzejewski 2013-05-29 20:13:18 UTC

(In reply to Honza Horak from comment #5)
> Thanks for reporting. It seems the issue was introduced by patch for
> #750929. Build mutt-1.5.21-20.fc19 should fix the issue, it will be
> available in couple of minutes.

I'm not sure what to make of it. On one hand, it stopped appending the same certificate over and over to the specified certificates file (which was another bug, unreported here), but on the other hand, the option to "accept always" simply isn't there anymore.

So this update "fixes" this issue in the sense that the option isn't available anymore.

Comment 10 Jiri Cerny 2013-05-30 14:27:15 UTC

For me the update seems to solve the problem.

The option 'always accept' is not missing and working correctly here.

Comment 11 Honza Horak 2013-05-31 19:39:58 UTC

(In reply to Dominik 'Rathann' Mierzejewski from comment #9)
> I'm not sure what to make of it. On one hand, it stopped appending the same
> certificate over and over to the specified certificates file (which was
> another bug, unreported here), but on the other hand, the option to "accept
> always" simply isn't there anymore.

Hm, I don't think this is caused by that fix, since only certification comparison has been fixed.

The behaviour you describe may be caused by some issues with certificate, as a comment in the code says:

/* certificates with bad dates, or that are revoked, must be
   accepted manually each and every time */

Comment 12 Fedora Update System 2013-06-07 02:58:06 UTC

mutt-1.5.21-20.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2013-06-08 03:39:04 UTC

mutt-1.5.21-20.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.