Comment by ~olisturm on ~sircmpwn/aerc2
Update: this patch works for me with protonmail-bridge. Thank you!
Comment by ~olisturm on ~sircmpwn/aerc2
Great, I'll try that. So I guess that a self-signed certificate is its own CA... that makes sense to me after I thought about the term self-signed a little while longer :)
Comment by ~olisturm on ~sircmpwn/aerc2
Reading the patch, I think I understand how this work and I'd like to try it. However, where do you take the file from that you use for
sourceCaFile
andoutgoingCaFile
? (I mean when using it with protonmail-bridge.)I tested this just this morning and I found that protonmail-bridge uses a self-signed certificate (based on the output of
openssl s_client -connect 127.0.0.1:1143 -starttls imap
). My SSL-fu is probably rusty, but I believe these certificates don't have CAs... or would that be the certificate itself? If you know how to create the required file, it would be much appreciated.
Comment by ~olisturm on ~sircmpwn/aerc2
FWIW, that sounds like a good idea to me. It would obviously be much safer than simply connecting blindly to self-signed certificates, yet easy enough to make work for those who know even less about the topic than I do.
Comment by ~olisturm on ~sircmpwn/aerc2
I might be wrong since I'm not an SSL expert, but I don't think that pinning a CA would help with self-signed certificates. At least not directly, since the case I'm describing is one where I don't control the CA that creates the certificate. All I know is that all the communication is on localhost, so I really don't care what certificate is used. I would prefer an easier option to make this work, which does not require me to dig around and find out how to add a CA built into some 3rd party software.
Comment by ~olisturm on ~sircmpwn/aerc2
Dude, stop being an idiot please. I was reporting an issue, not asking a question. It is not my fault that the search in this weird and wonderful source control platform you chose does not work - try it yourself and you'll see.
Now I have read the issues you linked (duh! you really didn't, did you - yeah yeah, I know, we're all volunteers - only some manage to volunteer in a professional and courteous way and others don't) and I see how they relate. I also see that they should have shown up in my searches, but they didn't. What I don't see is an actual solution to the problem - just more examples of your attitude. That's fine, I'm happy to learn early on when I'm not wanted. A nice life to you and this project, and thanks for nothing.
RESOLVED DUPLICATE
REPORTEDComment by ~olisturm on ~sircmpwn/aerc2
You're kidding, right? Where is the duplicate? I searched the issue list for "self", "signed" and "certificate" and I didn't find anything. Plus, closing the issue with this statement without at least adding a link seems a bit disrespectful of the effort I just made to report it.
RESOLVED DUPLICATE
REPORTEDTicket created by ~olisturm on ~sircmpwn/aerc2
I'm trying to use aerc with protonmail-bridge, which uses a self-signed certificate. When I start aerc, I see a red error message for a few seconds which says "x509: certificate signed by unknown authority". After that the status bar says "Connecting..." and progress indicators move around at the top of the window, but nothing else happens.
Looking around, I find that it may be necessary to pass
InsecureSkipVerify
to the crypto/tls package - but I'm not a Go expert, the solution may be something else. In any case I think there should be an option to allow connections to servers with self-signed certificates. Am I missing something?I'm using the community/aerc package and
aerc -v
says0.5.2-2
- in case it matters.