[Nmh-workers] TLS certificate validation

[Ken Hornstein]

Now that I've cleaned up our TLS code from the unholy mess it used to
be and abstracted it into a reasonable set of library functions, this
has inspired me to investigate cleaning up a rather annoying deficiency
that we have.  Specifically, we don't do any certificate validation at
all for TLS; zero, nada, zilch.  We basically just are treating the TLS
connection as anonymous DH, and we are open to MITM attacks.  This is
mildly embarassing, to say the least.  But the options here for solving
this problem are not great.

The _code_ to do verify a certificate chain in OpenSSL is relatively
straightforward; I'm not worried about writing that.  But sadly, the
configuration for all of that is lousy, and you start to see why web
browsers ship with their own set of root certificates.  A brief survey
suggests to me that common open-source systems do not ship a set of
popular commercial root certificates.  That would require people to get
root certificates ... and while I can imagine that SOME people, here
especially, would bother to do that, let's be honest: most people WON'T.
As we've seen, a lot of people don't use replyfilter despite it being
around for 4 years and something everyone complains about.  So it would
be a fair amount of code that few people would use, and even less know
about.

I've been poking around and I see that there is something that MIGHT
be worthwhile to look at: something called "trust on first use" (TOFU)
which basically replicates the SSH key model; upon first connection you
decide to trust the certificate you get, and you save that for later.
How this works when certificates expire is a little unclear to me;
maybe you save the whole certificate chain and you decide to trust new
certs that go back to the original root.  If this was enabled by default
we'd get a lot better security out of the box.

We MIGHT be able to get this done for 1.7; I'm unsure.  But I think it's
worth talking about.

Thoughts?

--Ken