Re: [fetchmail-devel] Workaround for unavoidable SSL CommonName mismatch?

[Daniel R. G. <sk...@iS...>]

On Sun, 2006 Apr 23 22:16:07 +0200, Matthias Andree wrote:
> 
> Well, fetchmail is in fact talking to mail.mydomain.com, so allowing
> certificates for other domains on the server wouldn't be the right thing
> to do.

There is no way for mail.mydomain.com to have an SSL certificate with 
CN=mail.mydomain.com. Not unless I shell out for a dedicated IP address. 
Alternate names are not a solution either, unless one wants to download a 
certificate with 100000+ alternates :]

I agree that webhost.com did a lousy job of setting up their SSL mail 
services, but given that that's the current, unlikely-to-change-in-the- 
near-future reality, the issue becomes fetchmail's flexibility in handling 
a less-than-ideal server situation.

> You can however obtain the server's certificate fingerprint (run
> fetchmail with -v (in verbose mode)) and then use the sslfingerprint
> option to suppress the warning. Fetchmail will then abort the connection
> if the fingerprint does not match.

That's what I'm doing for now, but I still get the "CommonName mismatch" 
warnings. (Twice for every connection, in fact.) I want to get rid of 
those, and I'd still like to be able to do full certificate checking 
(modulo the specifically-configured exception for the CN).


--Daniel


-- 
NAME   = Daniel Richard G.       ##  Remember, skunks       _\|/_  meef?
EMAIL1 = sk...@is...        ##  don't smell bad---    (/o|o\) /
EMAIL2 = sk...@al...      ##  it's the people who   < (^),>
WWW    = http://www.******.org/  ##  annoy them that do!    /   \
--
(****** = site not yet online)