From owner-freebsd-questions@freebsd.org Sun May 31 22:16:29 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id F308B2F3CC5 for ; Sun, 31 May 2020 22:16:29 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp10.server.rpi.edu (gateway.canit.rpi.edu [128.113.2.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "canit.localdomain", Issuer "canit.localdomain" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 49Zt1m3YxNz440B for ; Sun, 31 May 2020 22:16:28 +0000 (UTC) (envelope-from drosih@rpi.edu) Received: from smtp-auth1.server.rpi.edu (route.canit.rpi.edu [128.113.2.231]) by smtp10.server.rpi.edu (8.14.4/8.14.4/Debian-8+deb8u2) with ESMTP id 04VMGQ8Y068552 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 31 May 2020 18:16:26 -0400 Received: from smtp-auth1.server.rpi.edu (localhost [127.0.0.1]) by smtp-auth1.server.rpi.edu (Postfix) with ESMTP id 01CB95805C; Sun, 31 May 2020 18:16:26 -0400 (EDT) Received: from [128.113.125.55] (calyx-55.net.rpi.edu [128.113.125.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: drosih) by smtp-auth1.server.rpi.edu (Postfix) with ESMTPSA id B41C358032; Sun, 31 May 2020 18:16:25 -0400 (EDT) From: "Garance A Drosehn" To: "Matthias Apitz" Cc: freebsd-questions@freebsd.org Subject: Re: IMAP && Server certificate has expired Date: Sun, 31 May 2020 18:16:16 -0400 X-Mailer: MailMate (1.13.1r5671) Message-ID: In-Reply-To: <5e1a71cd-6837-47f1-b485-c583550db48a@unixarea.de> References: <5e1a71cd-6837-47f1-b485-c583550db48a@unixarea.de> MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP X-Bayes-Prob: 0.0001 (Score 0, tokens from: outgoing, @@RPTN) X-Spam-Score: 0.00 () [Hold at 10.10] HTML_MESSAGE:0.001 X-CanIt-Incident-Id: 032Jygq06 X-CanIt-Geo: ip=128.113.125.55; country=US; region=New York; city=Troy; latitude=42.7273; longitude=-73.6696; http://maps.google.com/maps?q=42.7273,-73.6696&z=6 X-CanItPRO-Stream: outgoing X-Canit-Stats-ID: Bayes signature not available X-Scanned-By: CanIt (www . roaringpenguin . com) on 128.113.2.230 X-Rspamd-Queue-Id: 49Zt1m3YxNz440B X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=rpi.edu; spf=pass (mx1.freebsd.org: domain of drosih@rpi.edu designates 128.113.2.230 as permitted sender) smtp.mailfrom=drosih@rpi.edu X-Spamd-Result: default: False [-3.59 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.07)[-1.075]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:128.113.2.225/28]; NEURAL_HAM_LONG(-0.99)[-0.990]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[128.113.2.230:from]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[rpi.edu,none]; NEURAL_HAM_SHORT(-0.52)[-0.523]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:91, ipnet:128.113.0.0/16, country:US]; RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] Content-Type: text/plain X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 May 2020 22:16:30 -0000 On 31 May 2020, at 12:10, Matthias Apitz wrote: > Hello, > > When I connect with the MUA mutt directly with IMAP to my ISP with: > > $ mutt -f imap://imap.1blu.de:143/ > > I get since some hours: > > Server certificate has expired > > and the cert presented gives the information below. I can overcome > the situation with 'set ssl_verify_dates=no' in .muttrc, but I'm > wondering what should I tell to my ISP as no information about his > server (1blu.de) shows up in the expired certificate. Or is this > because something on my OpenSSL installation expired? FreeBSD is > an older CURRENT from January 2019 and ports of the same time. > > Any ideas? >> >> This certificate was issued by: >> AddTrust External CA Root >> Unknown >> AddTrust AB >> AddTrust External TTP Network >> Unknown >> Unknown >> SE >> >> This certificate is valid >> from May 30 10:48:38 2000 GMT >> to May 30 10:48:38 2020 GMT There is a cert from AddTrust which expired early on Saturday. I believe it was the cert for certificate-authority named USERTrust RSA. This shouldn't have been a problem, because there is a newer cert for that same CA which has not expired. I do not understand all the details, but apparently there is a bug in versions of OpenSSL which are older than version 1.1. If the older (now-expired) cert is known on some system, it is used instead of the newer cert. And therefore that cert, and every cert which was generated by that CA is also considered invalid. This problem hit us at RPI on many Redhat systems yesterday. I also saw the problem in Mail.app on some of my older MacOS systems, but Mail.app does not have this problem on MacOS catalina. -- Garance Alistair Drosehn = drosih@rpi.edu Lead Developer @rpi and gad@FreeBSD.org Rensselaer Polytechnic Institute; Troy, NY; USA