Bug 323738 - SSL peer verification does not check for expired/revoked/... certificates once they were approved in past
Summary: SSL peer verification does not check for expired/revoked/... certificates onc...
Status: RESOLVED UNMAINTAINED
Alias: None
Product: trojita
Classification: Applications
Component: Core (other bugs)
Version First Reported In: git
Platform: unspecified Linux
: NOR normal
Target Milestone: ---
Assignee: Trojita default assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-19 16:49 UTC by Jan Kundrát
Modified: 2024-09-23 18:51 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Kundrát 2013-08-19 16:49:13 UTC 
The current certificate pinning (and the upcoming pubkey pinning, too) works more or less like the traditional SSH client, prompting for trust on the first connection (with a list of errors encountered so far, if any) and complaining very loudly whenever the public key changes. This is good, but it would be even better if the code also checked other properties of the peer, like whether the certificate was blacklisted, expired, revoked, not meant for this use etc etc.

It remains to be designed how to present this to the user, what choices to offer (e.g. whether to allow for individual checkboxes for ignoring certain errors like unrecognized CA or a self-signed certificate) etc.
Comment 1 Justin Zobel 2021-03-09 07:26:20 UTC 
Thank you for the bug report.

As this report hasn't seen any changes in 5 years or more, we ask if you can please confirm that the issue still persists.

If this bug is no longer persisting or relevant please change the status to resolved.
Comment 2 Christoph Cullmann 2024-09-23 18:51:01 UTC 
Trojitá is no longer maintained, please switch to a maintained alternative like https://apps.kde.org/kmail2/

Sorry for the inconveniences.