This is related to/inspired by the now closed #312.
Adding your custom RootCA to your hosts CA bundle may be a valid suggestion. However, even though the situation might be less horrible than a few years back, you may not want to trust all CAs in that bundle, nor remove all the others from the store, with the implications that that may have for other services and utilities.
Adding the option to select and trust a single root or intermediate CA would appeal to both those who add their own to their store as well as to the, probably larger, audience who want to narrow the number of strangers they put their trust to.
I made a patch to pin certificate and I use it locally with protonmail-bridge. That patch is available in the mailing list: https://lists.sr.ht/~sircmpwn/aerc/patches/20445
Reading the patch, I think I understand how this work and I'd like to try it. However, where do you take the file from that you use for
outgoingCaFile? (I mean when using it with protonmail-bridge.)
I tested this just this morning and I found that protonmail-bridge uses a self-signed certificate (based on the output of
openssl s_client -connect 127.0.0.1:1143 -starttls imap). My SSL-fu is probably rusty, but I believe these certificates don't have CAs... or would that be the certificate itself? If you know how to create the required file, it would be much appreciated.
I used this command to get the certificate:
openssl s_client -starttls imap -connect 127.0.0.1:1143 -showcerts
From the output I copied everything between BEGIN_CERTIFICATE and END_CERTIFICATE lines including them and saved that to a file.
outgoing-cafilefields with the value being a path to the saved certificate file.
Great, I'll try that. So I guess that a self-signed certificate is its own CA... that makes sense to me after I thought about the term self-signed a little while longer :)