[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Auto plugged off?



> but what is the security semantics behind limiting validation chain
> length at all?

as a friend reminded me, don't perform unbounded work at the whim of a
stranger.  and don't type strong assertions during first cup of coffee.

> so we care how long the chain is but we don't care if it validates?

the friend, also a wanderlust user, further pointed out

the relevant part of the s_client man page is:

       -verify depth
           The verify depth to use. This specifies the maximum length of the
           server certificate chain and turns on server certificate verifica-
           tion.  Currently the verify operation continues after errors so all
           the problems with a certificate chain can be seen. As a side effect
           the connection will never fail due to a server certificate verify
           failure.

note last sentence.

what this boils down to is that s_client is not the right tool for
this job.  stunnel would work, see the attached, hack to taste, add
parameters so you can control settings from emacs variables, etc.

you'll need to set ssl-program-arguments in your .wl to call whatever
you use as a replacement for the broken s_client command.

#!/bin/sh -

/usr/local/bin/stunnel 3<<-'EOF' -fd 3
	CAfile		= /usr/local/etc/certs/hactrn-cacert.pem
	connect		= cyteen.hactrn.net:imaps
	sslVersion	= TLSv1
	client		= yes
	verify		= 2
EOF

randy