Bug 323738

Summary: SSL peer verification does not check for expired/revoked/... certificates once they were approved in past
Product: [Applications] trojita Reporter: Jan Kundrát <jkt>
Component: CoreAssignee: Trojita default assignee <trojita-bugs>
Status: RESOLVED UNMAINTAINED    
Severity: normal    
Priority: NOR    
Version First Reported In: git   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Jan Kundrát 2013-08-19 16:49:13 UTC 
The current certificate pinning (and the upcoming pubkey pinning, too) works more or less like the traditional SSH client, prompting for trust on the first connection (with a list of errors encountered so far, if any) and complaining very loudly whenever the public key changes. This is good, but it would be even better if the code also checked other properties of the peer, like whether the certificate was blacklisted, expired, revoked, not meant for this use etc etc.

It remains to be designed how to present this to the user, what choices to offer (e.g. whether to allow for individual checkboxes for ignoring certain errors like unrecognized CA or a self-signed certificate) etc.
Comment 1 Justin Zobel 2021-03-09 07:26:20 UTC 
Thank you for the bug report.

As this report hasn't seen any changes in 5 years or more, we ask if you can please confirm that the issue still persists.

If this bug is no longer persisting or relevant please change the status to resolved.
Comment 2 Christoph Cullmann 2024-09-23 18:51:01 UTC 
Trojitá is no longer maintained, please switch to a maintained alternative like https://apps.kde.org/kmail2/

Sorry for the inconveniences.