Re: [fetchmail-users] User poll CLOSED: how do you expect --sslcertpath to behave?

[Matthias A. <mat...@gm...>]

Greetings,

I'm closing the poll - the input was convincingly argued.

As per the recent commit to Git
<http://gitorious.org/fetchmail/fetchmail/commit/e87f96bd9730e2bdb407d0a9cca2a05ee0dabce5>,
fetchmail 6.3.17-pre1 (not formally available as tarball) now behaves as
follows:

- if --sslcertfile or --sslcertpath or both options are given, fetchmail
  uses only these locations for OpenSSL X.509 CA certificate trust.
  Either option is available from the rcfile, too.

- if the environment variable FETCHMAIL_INCLUDE_DEFAULT_X509_CA_CERTS
  is set and is not empty, fetchmail also loads the default locations,
  that is /etc/ssl/cert.pem and /etc/ssl/certs/ on my computers.
  --sslcert???? options retain precedence over the default store, to
  avoid user astonishment, and along the policies that specifics should
  override the generics.

I hope that's one little step towards cleaning up the SSL mess.

On Sunday, I had already added some extensions to SSL error reporting,
<http://gitorious.org/fetchmail/fetchmail/commit/d73d7527142850442b16883628de5e87f99a57ea>
- this needs testing, for instance against SSL sites that provide an
incomplete certificate chain, to see if we get the right error message.

Thanks for all your input.