[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Auto plugged off?
> but what is the security semantics behind limiting validation chain
> length at all?
as a friend reminded me, don't perform unbounded work at the whim of a
stranger. and don't type strong assertions during first cup of coffee.
> so we care how long the chain is but we don't care if it validates?
the friend, also a wanderlust user, further pointed out
the relevant part of the s_client man page is:
-verify depth
The verify depth to use. This specifies the maximum length of the
server certificate chain and turns on server certificate verifica-
tion. Currently the verify operation continues after errors so all
the problems with a certificate chain can be seen. As a side effect
the connection will never fail due to a server certificate verify
failure.
note last sentence.
what this boils down to is that s_client is not the right tool for
this job. stunnel would work, see the attached, hack to taste, add
parameters so you can control settings from emacs variables, etc.
you'll need to set ssl-program-arguments in your .wl to call whatever
you use as a replacement for the broken s_client command.
#!/bin/sh -
/usr/local/bin/stunnel 3<<-'EOF' -fd 3
CAfile = /usr/local/etc/certs/hactrn-cacert.pem
connect = cyteen.hactrn.net:imaps
sslVersion = TLSv1
client = yes
verify = 2
EOF
randy