~olisturm


#329 Support option to pin CA 3 years ago

Comment by ~olisturm on ~sircmpwn/aerc2

Update: this patch works for me with protonmail-bridge. Thank you!

#329 Support option to pin CA 3 years ago

Comment by ~olisturm on ~sircmpwn/aerc2

Great, I'll try that. So I guess that a self-signed certificate is its own CA... that makes sense to me after I thought about the term self-signed a little while longer :)

#329 Support option to pin CA 3 years ago

Comment by ~olisturm on ~sircmpwn/aerc2

Reading the patch, I think I understand how this work and I'd like to try it. However, where do you take the file from that you use for sourceCaFile and outgoingCaFile? (I mean when using it with protonmail-bridge.)

I tested this just this morning and I found that protonmail-bridge uses a self-signed certificate (based on the output of openssl s_client -connect 127.0.0.1:1143 -starttls imap). My SSL-fu is probably rusty, but I believe these certificates don't have CAs... or would that be the certificate itself? If you know how to create the required file, it would be much appreciated.

#514 Support missing for self-signed certificates? 3 years ago

Comment by ~olisturm on ~sircmpwn/aerc2

FWIW, that sounds like a good idea to me. It would obviously be much safer than simply connecting blindly to self-signed certificates, yet easy enough to make work for those who know even less about the topic than I do.

#514 Support missing for self-signed certificates? 3 years ago

Comment by ~olisturm on ~sircmpwn/aerc2

I might be wrong since I'm not an SSL expert, but I don't think that pinning a CA would help with self-signed certificates. At least not directly, since the case I'm describing is one where I don't control the CA that creates the certificate. All I know is that all the communication is on localhost, so I really don't care what certificate is used. I would prefer an easier option to make this work, which does not require me to dig around and find out how to add a CA built into some 3rd party software.

#514 Support missing for self-signed certificates? 3 years ago

on ~sircmpwn/aerc2

REPORTED RESOLVED WONT_FIX

#514 Support missing for self-signed certificates? 3 years ago

Comment by ~olisturm on ~sircmpwn/aerc2

Dude, stop being an idiot please. I was reporting an issue, not asking a question. It is not my fault that the search in this weird and wonderful source control platform you chose does not work - try it yourself and you'll see.

Now I have read the issues you linked (duh! you really didn't, did you - yeah yeah, I know, we're all volunteers - only some manage to volunteer in a professional and courteous way and others don't) and I see how they relate. I also see that they should have shown up in my searches, but they didn't. What I don't see is an actual solution to the problem - just more examples of your attitude. That's fine, I'm happy to learn early on when I'm not wanted. A nice life to you and this project, and thanks for nothing.

RESOLVED DUPLICATE REPORTED

#514 Support missing for self-signed certificates? 3 years ago

Comment by ~olisturm on ~sircmpwn/aerc2

You're kidding, right? Where is the duplicate? I searched the issue list for "self", "signed" and "certificate" and I didn't find anything. Plus, closing the issue with this statement without at least adding a link seems a bit disrespectful of the effort I just made to report it.

RESOLVED DUPLICATE REPORTED

#514 Support missing for self-signed certificates? 3 years ago

Ticket created by ~olisturm on ~sircmpwn/aerc2

I'm trying to use aerc with protonmail-bridge, which uses a self-signed certificate. When I start aerc, I see a red error message for a few seconds which says "x509: certificate signed by unknown authority". After that the status bar says "Connecting..." and progress indicators move around at the top of the window, but nothing else happens.

Looking around, I find that it may be necessary to pass InsecureSkipVerify to the crypto/tls package - but I'm not a Go expert, the solution may be something else. In any case I think there should be an option to allow connections to servers with self-signed certificates. Am I missing something?

I'm using the community/aerc package and aerc -v says 0.5.2-2 - in case it matters.