Menu
▾
▴
Re: [fetchmail-devel] Downloading remote server certificate for a TLS session?
|
From: Jakob H. <jh...@pl...> - 2007-08-23 11:56:27
|
Quoting Rob MacGregor: >> I don't know anything about your server, but it works fine here: >> >> $ openssl s_client -connect koi:pop3 -starttls pop3 >> CONNECTED(00000003) >> ... >> +OK Dovecot ready. <...> > Ok, I've just tried it on another host and it works there, just not on > my main host - which works fine with fetchmail's TLS support. The message "connect: Connection refused" you got with openssl sounds more like it couldn't even connect to the server. It may be worth tracing this problem with strace and tcpdump. Is your main server publically reachable? >> Right, but I don't hink that fetchmail is the right tool for that. On >> the other hand, it's not that hard to print the certificate. > From my results above it looks like the s_client functionality isn't > 100%, and it's use relies on people having the very latest version for > IMAP support (from your comment below). 0.9.8e is 6 months old, so I guess (or hope) it will be absorbed in the next version of $DISTRIBUTION. > History on the -users mailing list suggests that we really need to > make it easy for people to solve these problems. If it's simple > enough to provide all the required information from within fetchmail > then that's got to make their lives (and by extension mine :>) easier. As Matthias pointed out, the fingerprint is suitable for that. Don't get me wrong, I'm not against a "dump the server's cert" feature in fetchmail, it could be handy. But I'm not sure that what you want to do with it is The Right Thing. But then again, I didn't follow the discussion which lead you to start this thread. > It does however assume that everybody is using at least 0.9.8e :) I > suppose I'm mostly concerned about the poor souls who're using RPM > based distributions. It isn't always possible to upgrade one package Sure, even Fedora 7 uses 0.9.8b. But the same applies to fetchmail. Most people use the distribution's package, I guess. But upgrading fetchmail is admittedly quite easier, because of much less dependencies (if any). |
