Have an option to auto accept certificates that are exchanged because old was close to expiry and new one is issued from the same CA and valid.
Go to your Account Preferences, locate the TLS page, check the box that says "Automatically accept valid TLS certificates".
This is not I want. I want only accept updated certificates IF from same CA.
Richard, please discuss this on Claws Mail users mailing list. This could be considered enhancement request, requiring some development work, but solvable (at the first glance) relatively easily thanks to Claws' easy-to-hack-on design :)
Richard, so you suspect that your email provider will change its CA often? Remember, this is an account-specific option. Providers do not normally change their CA often. Certs are also not updated often, even from Let's Encrypt. This change would save you from one mouse click, say, every 3 months.
Milan, why do you suggest splitting the conversation, with some of it here and some of it on the mailing list? And it's definitely an enchance request and not a bug, no doubt about that.
I just consider mailing list better suited for such a discussion. Maybe just my preference, your oppinion may differ. On the subject itself - I agree with your analysis, it is one mouse click per 3 month or longer. Still, I am going to evaluate what I can do with it and trying to create a test setup for this. Not much work, not intensive, just for some interest.
Frankly, Milan, and with respect, your preference doesn't count for much here. :)
Please excuse that I did not know how to ask feature requests and I am happy to continue discussion anywhere but would rather focus on the technical issues. To explain my point a bit more, I am very glad that Claws-mail cares about security and makes it easy to examine the SSL certificates. However, it is not once in 3 months and it is not one click in my special case. Having 3 accounts at Google, I have been prompted numerous times in the last 60 minutes! #1 account exchanged cert for IMAP host with expiration date of 3/21/22 for a key with expiration date with 4/4/22. #2 for the same account, the cert for the SMTP host was exchanged. #3 (after quitting and restarting) the next google account asked to change the IMAP host cert *back* to 3/21/22 !!! This is not nice but happens frequently in reality because it is not a single server but many and apparently the rollout of the certificates is not synchronized at google. #4 not surprisingly.. a few minutes later the other account asked to change the IMAP cert to the new version again I did not record how often exactly this "theatre" repeats, my feeling is every few days. As the old certs expire in exactly 2 months and new certs in exactly 3 months plus it will be pretty sure at least once in a month. Of course I am not happy Google does it that way but it is a major email provider. Regarding the "one click".. it is a bit more in my case: - one click to view the certificates, - move the dialog window - that is because the smaller accept/decline dialog was centered and the enlarged dialog is half off the screen of this laptop (I know I should open a separate bug for that but not sure if it is bug of Claws or window manager) - actually look at the certificate and accept it So with the frequency it is occurring it is a really significant hassle which will mean that people in this situation would be hard tempted to turn manual certificate checking off which is in my opinion not such a good idea. The idea is, in many cases checking that the Root Authority is the same like that of the old certificate is good enough, and certainly much better than nothing - and it would be nice if that could be automated or made easier.
That google does that is known, and the "Automatically accept valid TLS certificates" option takes care of that. What is wrong with accepting a valid certificate?
What is wrong with accepting a valid certificate? The perfectly "valid" certificate could be issued by some root certificate authority from Hong Kong, Turkey (Turkiye Bilimsel) instead of Google and still be perfectly "valid". It is not supposed to happen but technically the certificate would be pass all checks and it is not beyond imagination that some authoritarian regime will force one of the root authorities it has under its control to do that. Hotspots and Airlines in foreign countries have been reportedly trying that trick. So yes, checking/pinning certificate authority is very important. Probably the most important check that the average user can do without much hassle. With the google issue this is pretty much impossible.
Whether a CA is valid or not (and therefore the certificate) is based on the CA bundles installed on your system, so your argument does not hold water.
Even established CAs happen to release fake or fradulent certificates pretty often. State authorities of several countries are known to have done that. https://arstechnica.com/information-technology/2011/03/how-the-comodo-certificate-fraud-calls-ca-trust-into-question/ https://www.hkcert.org/blog/diginotar-ca-security-breach-resulting-in-issuance-of-fake-certificates Manual checking is necessary and should be made as painless as possible. Checking automatically whether a certificate was issued by the expected CA would help greatly.
Manual checking already is pretty simple and easy.