Re: [fetchmail-users] self-signed certs + fetchmail nuisance

[Matthias A. <mat...@gm...>]

Volker Kuhlmann <lis...@pa...> writes:

> I just upgraded from SUSE 10.0 to 10.1, and with it to fetchmail 6.3.2.
> Now I see that one of my email providers must have introduced TLS, but
> with a self-signed cert. The first time cron mails me a
>
> fetchmail: Server certificate verification error: self signed
> certificate

> it's informative, but after the 1735th time the novelty value has worn a
> bit.

This issue is fixed in the latest available release, 6.3.4, where
sslfingerprint (on the command line or in the rcfile) should suppress these
warnings unless sslcertck is enabled.

Your options are (pick at least one):

- ask your ISP to provide proper SSL certificates

- list sslfingerpint AND
  ask Novell (SUSE) to update fetchmail to 6.3.4
      or cherrypick(*) these changes from 6.3.4:

  * SSL/TLS: if, for a certain server, an sslfingerprint is specified and
    sslcertck is NOT set, suppress printing SSL certificate mismatch errors.
    (Reported by Hannes Erven.)
  * SSL/TLS: always print if the sslfingerprint mismatches, even in silent
    mode.  (This is for consistency with certificate verification errors.)

  (*) For cherrypicking, the
  repository is: http://mknod.org/svn/fetchmail/BRANCH_6-3
  to pull: svn diff -r4780:4781

- ask your ISP for their home-made CA root certificate that you can
  stuff into your /etc/ssl/certs (or whatever your CApath is).

-- 
Matthias Andree