Menu
▾
▴
[fetchmail-devel] [Bug #16000] fetchmail should support multiple sslfingerprint's
|
From: <ad...@be...> - 2009-07-16 13:09:36
|
Bug #16000, was updated on 2009-Jul-16 10:40 Here is a current snapshot of the bug. Project: Community Fetchmail Category: None Status: Closed Resolution: Invalid Bug Group: None Priority: 5 Submitted by: jw9 Assigned to : none Summary: fetchmail should support multiple sslfingerprint's Details: Some mail servers, such as pop3.live.com, have multiple hosts available at a single IP address (currently pop3.live.com appears to have two hosts behind that one IP address). Other mail servers, such as imap.gmail.com, resolve to rotating IP addresses. It should be possible to specify multiple 'sslfingerprint' entries so that any one of those fingerprints can match. Follow-Ups: Date: 2009-Jul-16 21:09 By: jw9 Comment: It would appear that additional comments appear in a push-down stack order. This makes it very hard to follow the natural order of things. This is very strange. Here in the western world we are used to reading left-to-right and top-to-bottom. We certainly don't expect to have to read from bottom-to-top. I suppose I can turn my monitor upside down and then they might follow in a proper order. But wait, that would make the characters appear upside-down! In any case, if one is to be able to check the sslfingerprint of a server to protect against man-in-the-middle attacks, and if the fingerprint does actually change randomly (and not because of a man-in-the-middle attack), then we need to be able to specify a set of fingerprints and only require that at least one of them matches. ------------------------------------------------------- Date: 2009-Jul-16 21:03 By: jw9 Comment: Why do comments appear in such a strange place (after my original submission)? Shouldn't additional comments follow in a logical order after other people's followup comments? Very strange! ------------------------------------------------------- Date: 2009-Jul-16 21:00 By: jw9 Comment: II think you misunderstand. The sslfingerprint is used to verify the identity of the server and to protect against man-in-the-middle attacks. The configuration also has proper certificate and "ssslcertck" and "sslcertpath" settings. To protect again man-in-the-middle attacks one needs to be able to ensure that the fingerprint of the server hasn't changed. ------------------------------------------------------- Date: 2009-Jul-16 20:33 By: m-a Comment: I don't think fetchmail should do that. sslfingerprints are just a convenience shortcut, and closely resemble stuffing the server's certificate into the directory of trusted certification authority certificates, usually /usr/ssl/certs, /etc/ssl/certs (and running c_rehash afterwards), or similar. The canonical way is to install the GTE CyberTrust Global Root (for Microsoft/live.com) or the Equifax Secure Certificate Authority (for Google Mail) and use certificate-based authentication. See also: http://gagravarr.org/writing/openssl-certs/others.shtml ------------------------------------------------------- For detailed info, follow this link: http://developer.berlios.de/bugs/?func=detailbug&bug_id=16000&group_id=1824 |
