IMAP && Server certificate has expired

[Garance A Drosehn]

On 31 May 2020, at 12:10, Matthias Apitz wrote:

> Hello,
>
> When I connect with the MUA mutt directly with IMAP to my ISP with:
>
> $ mutt -f imap://imap.1blu.de:143/
>
> I get since some hours:
>
> Server certificate has expired
>
> and the cert presented gives the information below. I can overcome
> the situation with 'set ssl_verify_dates=no' in .muttrc, but I'm
> wondering what should I tell to my ISP as no information about his
> server (1blu.de) shows up in the expired certificate. Or is this
> because something on my OpenSSL installation expired? FreeBSD is
> an older CURRENT from January 2019 and ports of the same time.
>
> Any ideas?
>>
>> This certificate was issued by:
>>    AddTrust External CA Root
>>    Unknown
>>    AddTrust AB
>>    AddTrust External TTP Network
>>    Unknown
>>    Unknown
>>    SE
>>
>> This certificate is valid
>>    from May 30 10:48:38 2000 GMT
>>      to May 30 10:48:38 2020 GMT

There is a cert from AddTrust which expired early on Saturday.  I
believe it was the cert for certificate-authority named USERTrust RSA.
This shouldn't have been a problem, because there is a newer cert for
that same CA which has not expired.

I do not understand all the details, but apparently there is a bug in
versions of OpenSSL which are older than version 1.1.  If the older
(now-expired) cert is known on some system, it is used instead of the
newer cert.  And therefore that cert, and every cert which was generated
by that CA is also considered invalid.  This problem hit us at RPI on
many Redhat systems yesterday.

I also saw the problem in Mail.app on some of my older MacOS systems,
but Mail.app does not have this problem on MacOS catalina.

-- 
Garance Alistair Drosehn                =     drosih at rpi.edu
Lead Developer @rpi                   and    gad at FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA