Re: [fetchmail-devel] Downloading remote server certificate for a TLS session?

[Rob M. <rob...@gm...>]

On 8/22/07, Jakob Hirsch <jh...@pl...> wrote:
> Rob MacGregor wrote:
>
> I don't know anything about your server, but it works fine here:
>
> $ openssl s_client -connect koi:pop3 -starttls pop3
> CONNECTED(00000003)
> ...
> +OK Dovecot ready. <...>

Ok, I've just tried it on another host and it works there, just not on
my main host - which works fine with fetchmail's TLS support.

> Right, but I don't hink that fetchmail is the right tool for that. On
> the other hand, it's not that hard to print the certificate.

From my results above it looks like the s_client functionality isn't
100%, and it's use relies on people having the very latest version for
IMAP support (from your comment below).

History on the -users mailing list suggests that we really need to
make it easy for people to solve these problems.  If it's simple
enough to provide all the required information from within fetchmail
then that's got to make their lives (and by extension mine :>) easier.

If openssl's client support was better established then I'd probably
agree with you though.

> But it looks like the openssl people are working on it: 0.9.8e also
> contains STARTTLS support for imap (and even handles smtp properly).

Just tried it with one provider and it works, useful.

It does however assume that everybody is using at least 0.9.8e :)  I
suppose I'm mostly concerned about the poor souls who're using RPM
based distributions.  It isn't always possible to upgrade one package
without upgrading dozens of others - something people who're just
trying to get one package working may not want to/be able to do.

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche