Re: accecepted ssl certificate suddenly not remembered
- To: mutt-users@xxxxxxxx
- Subject: Re: accecepted ssl certificate suddenly not remembered
- From: Kyle Wheeler <kyle-mutt@xxxxxxxxxxxxxx>
- Date: Thu, 9 Jul 2009 14:29:05 -0500
- Comment: DomainKeys? See http://domainkeys.sourceforge.net/
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=memoryhole.net; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to; s=default; bh=WlLOVpZVaYftJ/EMrXOSJv6aVvQ=; b=Xkej mr96LcWM+3UZRfIqfwTWGbdVNKeFSgl9bakEVq12F9s0GhFxSdW/SDLBtwKY5bz+ 2Mf8uQVN5zC2AjhDJYBFLDI/3COkbbPzuCDkNYKJIiASTpgBQtRC416yNKMAhkxa 2Xd3ISGwmcaRgJdDAVI8A4lb/fDQupAea8EEqjI=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=memoryhole.net; b=K5NupQhYIub8x3NoP2Ph5WxN9nDbDc4tyzR8gYxOtia5UjMYP+Wj2ALFD5R7PSg8DbqkIbtFfZPJIVeWT3I3lfKrflu3HJv0vlWOkW4VbSikeZUrz1e28T2/skdRdUrHJvytgfPeXV/VmPF09P1KqOFnIin7WTgS0flV/4XfaC0=; h=Received:Received:Date:From:To:Subject:Message-ID:Mail-Followup-To:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:OpenPGP:User-Agent;
- In-reply-to: <20090709182409.GA16786@xxxxxxxxxxxxxxxxxxx>
- List-post: <mailto:mutt-users@mutt.org>
- List-unsubscribe: send mail to majordomo@mutt.org, body only "unsubscribe mutt-users"
- Mail-followup-to: mutt-users@xxxxxxxx
- Openpgp: id=CA8E235E; url=http://www.memoryhole.net/~kyle/kyle-pgp.asc; preference=signencrypt
- References: <20090709182409.GA16786@xxxxxxxxxxxxxxxxxxx>
- Sender: owner-mutt-users@xxxxxxxx
- User-agent: Mutt/1.5.20 (2009-07-07)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thursday, July 9 at 08:24 PM, quoth Rejo Zenger:
> I am running mutt from the official Ubuntu Hardy repository on a
> x86_64 server. As of today, mutt is no longer able to remember
> previously accepted SSL certificates and is unable to the
> certificate_file.
Hmm. Kinda sounds like a certificate problem to me. When does your
certificate expire? I'm guessing it expired yesterday.
> Then, after closing and restarting mutt, it will show me the
> certificate again, it will ask me the same question,
This, I think, is the key piece of evidence. Mutt couldn't verify the
old certificate. Unfortunately, mutt doesn't ever say WHY it couldn't
verify the old certificate, but the most common reason is that either
the certificate expired or couldn't be verified for some other reason.
THIS, I think, is the thing you have to solve.
> but it's no longer possible to save it. It will barf back a warning:
> "couldn't save certificate".
Interesting... possibly a result of the same problem.
> | read(0, "a", 1) = 1
This is mutt seeing that you pressed "a" (for "a"ccept always).
> | open("/home/rejo/.mutt_certificates", O_WRONLY|O_CREAT|O_APPEND,
> 0666) = 5
This is mutt opening the certificate file for writing/appending, and
getting it on file-descriptor 5.
> | fstat(5, {st_mode=S_IFREG|0600, st_size=2538, ...}) = 0
The fstat call on it succeeded, reporting the file to be 2538 bytes.
> | fstat(5, {st_mode=S_IFREG|0600, st_size=2538, ...}) = 0
A second fstat (why?) succeeded.
> | lseek(5, 2538, SEEK_SET) = 2538
Mutt tried to seek to the end of the file.
> | close(5) = 0
Then mutt closed the file.
So it's not a permissions problem.
Unfortunately, that doesn't help much. Here's the relevant code in
mutt (from mutt_ssl.c):
done = 0;
if ((fp = fopen (sslCertFile, "a")))
{
if (PEM_write_X509 (fp, cert))
done = 1;
safe_fclose (&fp);
}
if (!done)
{
mutt_error (_("Warning: Couldn't save certificate"));
mutt_sleep (2);
}
So, in order to get that "couldn't save certificate" error, the
OpenSSL function PEM_write_X509 must have failed to do its job for
some reason. (You'd get the same error message from a permissions
problem, but since the strace shows no signs of a permissions problem,
we know that's not the issue.) Unfortunately, OpenSSL is not really
being very helpful because it doesn't give us an opportunity to find
out exactly what has gone wrong.
My first guess, though, would be that your certificate has expired. I
believe (though I'd have to check) that sometimes these PEM functions
will fail if the certificate is expired.
Similar things have happened to me before, though in my case it was
because my company re-used the webmail ssl certificate for IMAP, and
webmail.example.com != imap.example.com. But the point is that the
hostname being different prevented the certificate from being
validated, which led to a host of problems like this.
~Kyle
- --
What greater thing is there for human souls than to feel that they are
joined for life---to be with each other in silent unspeakable
memories.
-- George Eliot
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!
iQIcBAEBCAAGBQJKVkUAAAoJECuveozR/AWealQQAIp+YY6E8mMG5PiyllWTXns1
08RDLktKMFv7NWtsUnrJztXqZmp3rlZvSDtBfN4DN/KM6iNT6m06EsMWLGpajEAi
KT+JyZzbHm4xdMoZEqLdnEvpyO+uYBV0jHKNlfnLB9YJXFyiG9hEcW4CykWSdiWA
g+2AQ39/AJ5yTjt5m2YEk0ULMLvZvBS52pCpd2ogFKRTjG7U4tzPpX+7n8s5TAw+
ajEsWXoKqTOzEspi4Uho55M12kQJypd8wXLm3JptCwFoBJUDvsGbxtjEQ2E7UaVO
9o5olNbQIMRy3rgHySBESkbVUGSKERVvTYbH5Sw5i5i641oL/gSffX8u+4Fti26b
w+6uddMb2268rHk83YD4qkuYRsqXUZj4OXPGa08Xz5OqA6Ozmfr16+dRm54uFWkd
V6UhhPBXFC8fflj4TXXwblyWxrWc/tqSFKepcS66g9J2QNM84U6RPbSwQbNuGBvm
ijSafKGUgqidz+zkNM1VM/tSH0wCw3WpJky4oHo5COoEJOMFUhUYa8SPrGXDwnr1
jkH0UxLFGYMRour+e4IebD20o0RlqFvQiPE529dtgFQODYssiNce9JP0lGGXLPd1
eUeIH21UU7smAXbCtkNHYotutXJOSRMxrVf2Fmx7cAlJCS983WEDnG/hDkn2VnwJ
E/Qd2h8HkisZ/L/VNUA2
=VTjV
-----END PGP SIGNATURE-----