Support option to pin CA

This is related to/inspired by the now closed #312.

Adding your custom RootCA to your hosts CA bundle may be a valid suggestion. However, even though the situation might be less horrible than a few years back, you may not want to trust all CAs in that bundle, nor remove all the others from the store, with the implications that that may have for other services and utilities.

Adding the option to select and trust a single root or intermediate CA would appeal to both those who add their own to their store as well as to the, probably larger, audience who want to narrow the number of strangers they put their trust to.

Assigned to
4 years ago
3 years ago

~labrat referenced this from #475 3 years ago

~labrat closed duplicate ticket #514 3 years ago

~nikobockerman 3 years ago

I made a patch to pin certificate and I use it locally with protonmail-bridge. That patch is available in the mailing list: https://lists.sr.ht/~sircmpwn/aerc/patches/20445

~olisturm 3 years ago

Reading the patch, I think I understand how this work and I'd like to try it. However, where do you take the file from that you use for sourceCaFile and outgoingCaFile? (I mean when using it with protonmail-bridge.)

I tested this just this morning and I found that protonmail-bridge uses a self-signed certificate (based on the output of openssl s_client -connect -starttls imap). My SSL-fu is probably rusty, but I believe these certificates don't have CAs... or would that be the certificate itself? If you know how to create the required file, it would be much appreciated.

~nikobockerman 3 years ago

I used this command to get the certificate: openssl s_client -starttls imap -connect -showcerts

From the output I copied everything between BEGIN_CERTIFICATE and END_CERTIFICATE lines including them and saved that to a file.

Then into accounts.conf I added source-cafile and outgoing-cafile fields with the value being a path to the saved certificate file.

~olisturm 3 years ago

Great, I'll try that. So I guess that a self-signed certificate is its own CA... that makes sense to me after I thought about the term self-signed a little while longer :)

~olisturm 3 years ago

Update: this patch works for me with protonmail-bridge. Thank you!

Register here or Log in to comment, or comment via email.