Re: [fetchmail-devel] Downloading remote server certificate for a TLS session?

[Rob M. <rob...@gm...>]

On 8/23/07, Jakob Hirsch <jh...@pl...> wrote:
>
> The message "connect: Connection refused" you got with openssl sounds
> more like it couldn't even connect to the server. It may be worth
> tracing this problem with strace and tcpdump.
> Is your main server publically reachable?

It is, and it works fine (from the same host) with fetchmail or
telnet.  I'll have a closer look tomorrow night, but I'm pretty sure
it's not a network problem :)

> 0.9.8e is 6 months old, so I guess (or hope) it will be absorbed in the
> next version of $DISTRIBUTION.

But lots of people won't/don't upgrade working systems if they don't
have to.  Heck, I've got a Mandrake 9.0 box that's barely been touched
since it was installed.

> As Matthias pointed out, the fingerprint is suitable for that.
> Don't get me wrong, I'm not against a "dump the server's cert" feature
> in fetchmail, it could be handy. But I'm not sure that what you want to
> do with it is The Right Thing. But then again, I didn't follow the
> discussion which lead you to start this thread.

I'm beginning to lean towards the view that the fingerprint is fine.
I do think however that failed certificate verification should be
handled the same way a failed password verification is - emailed
notification upon the first occurrence.

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche