Menu
▾
▴
Re: [fetchmail-devel] Assorted minor bugs
|
From: Matthias A. <ma...@dt...> - 2004-11-10 01:43:01
|
Brian Candler <B.C...@po...> writes: >> A second step (longer-term than the next release), i. e. after the next >> official release, should then make strict checking the default and offer >> the user options to relax checking for the case when the configuration >> (client or server) cannot be fixed on short notice. > > I agree, except that if you specify an explicit fingerprint that should also > make the certificate checking non-strict. Right. We aren't currently doing that as I can see: $ LANG=C fetchmail -d0 --sslcertck --sslcertpath /dev/null -v \ --sslfingerprint 99:A9:55:D9:F5:51:F9:40:CC:A4:C6:26:A2:8E:46:14 XXXXXXX fetchmail: 6.2.6 querying XXXXXXX (protocol POP3) at Wed Nov 10 01:41:02 2004: poll started fetchmail: Issuer Organization: YYYYY fetchmail: Issuer CommonName: Matthias Andree fetchmail: Server CommonName: XXXXXXX fetchmail: XXXXXXX key fingerprint: 99:A9:55:D9:F5:51:F9:40:CC:A4:C6:26:A2:8E:46:14 fetchmail: XXXXXXX fingerprints match. fetchmail: Server certificate verification error: unable to get local issuer certificate 12402:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:842: fetchmail: SSL connection failed. > That is, if you *know* the public key of the end-point you're talking to, > then you don't care if it has been signed or by whom or when. With > --sslfingerprint you're effectively using the ssh model, rather than the ssl > model, for preventing man-in-the-middle attacks. Yup. -- Matthias Andree |
