~sircmpwn/aerc2#514: 
Support missing for self-signed certificates?

I'm trying to use aerc with protonmail-bridge, which uses a self-signed certificate. When I start aerc, I see a red error message for a few seconds which says "x509: certificate signed by unknown authority". After that the status bar says "Connecting..." and progress indicators move around at the top of the window, but nothing else happens.

Looking around, I find that it may be necessary to pass InsecureSkipVerify to the crypto/tls package - but I'm not a Go expert, the solution may be something else. In any case I think there should be an option to allow connections to servers with self-signed certificates. Am I missing something?

I'm using the community/aerc package and aerc -v says 0.5.2-2 - in case it matters.

Status
RESOLVED DUPLICATE
Submitter
~olisturm
Assigned to
No-one
Submitted
2 years ago
Updated
2 years ago
Labels
No labels applied.

~labrat REPORTED DUPLICATE 2 years ago

~olisturm DUPLICATE REPORTED 2 years ago

You're kidding, right? Where is the duplicate? I searched the issue list for "self", "signed" and "certificate" and I didn't find anything. Plus, closing the issue with this statement without at least adding a link seems a bit disrespectful of the effort I just made to report it.

~labrat REPORTED DUPLICATE 2 years ago

~labrat 2 years ago

kindly stop trying to triage bugs that we closed, thanks.

312, 329, 475 take your pick.

If you'd asked in any of our communication channels you'd have gotten that answer. The bug tracker is not a user support forum.

~olisturm DUPLICATE REPORTED 2 years ago

Dude, stop being an idiot please. I was reporting an issue, not asking a question. It is not my fault that the search in this weird and wonderful source control platform you chose does not work - try it yourself and you'll see.

Now I have read the issues you linked (duh! you really didn't, did you - yeah yeah, I know, we're all volunteers - only some manage to volunteer in a professional and courteous way and others don't) and I see how they relate. I also see that they should have shown up in my searches, but they didn't. What I don't see is an actual solution to the problem - just more examples of your attitude. That's fine, I'm happy to learn early on when I'm not wanted. A nice life to you and this project, and thanks for nothing.

~olisturm REPORTED WONT_FIX 2 years ago

~labrat 2 years ago

it's not a wontfix... someone just needs to implement #329

~labrat WONT_FIX REPORTED 2 years ago

~labrat REPORTED DUPLICATE 2 years ago

~olisturm 2 years ago

I might be wrong since I'm not an SSL expert, but I don't think that pinning a CA would help with self-signed certificates. At least not directly, since the case I'm describing is one where I don't control the CA that creates the certificate. All I know is that all the communication is on localhost, so I really don't care what certificate is used. I would prefer an easier option to make this work, which does not require me to dig around and find out how to add a CA built into some 3rd party software.

~labrat 2 years ago

we can probably implement it so that we can pin the certificate fingerprint itself, the feature should be pretty much the same I guess as we can just walk the chain and if one of them matches the chosen fingerprint tze user specified we're good I think.

Didn't look too deep into it though.

~olisturm 2 years ago

FWIW, that sounds like a good idea to me. It would obviously be much safer than simply connecting blindly to self-signed certificates, yet easy enough to make work for those who know even less about the topic than I do.

~sircmpwn 2 years ago

Coming into this thread late, but ~olisturm's behavior in this thread is not appropriate. I have disabled their access to the issue tracker.

Register here or Log in to comment, or comment via email.