Menu
▾
▴
Re: [Fetchmail-users] Constantly changing ssl fingerprints
|
From: grarpamp <gra...@gm...> - 2015-01-26 06:18:55
|
On Sun, Jan 25, 2015 at 7:58 PM, Matthias Andree <mat...@gm...> wrote: > Am 25.01.2015 um 22:23 schrieb Jerry: > >>> As pop.google.com has an "official" certificate, there is no need for >>> a fingerprint check. Just let fetchmail know your root ca certs. I >>> only use sslfingerprint for self-signed certs, as an override where >>> root ca cert verification fails. You don't seem to use sslcertck, but >>> better you should. > > Martin's proposal is the same I'd have made: > 1. add sslcertck > 2. remove sslfingerprint + the hash. > > You need the root certificates installed locally. Yes Google has their own intermediate CA. So if you put the full path of CA's just short of the server cert in the file that should prevent user from being annoyed at having to change prints all the time. I don't think fetchmail has an OSCP checking option yet. For that and other reasons I've covered previously, just know that prints do serve real security purposes that you cannot achieve with CA checking. > isn't a one-stop solution. ca-certificates, ca_root_nss are packages > that Ubuntu and FreeBSD offer. Some distributions require you to select > which certificates you want to install into the trust store. Didn't know about thise selction. Figured OS just dumped them all in. For non browsing use, it's easy enough to cherry pick only the CA's you need to support your mail service rather than exposing yourself all the CA's. > And you also need up to date versions of fetchmail and OpenSSL. You may wish to try out fetchmail 7.x, it's TLS and other designs are being updated and coming along perhaps to another beta/release in a while. FreeBSD bits here. http://svnweb.freebsd.org/ports/head/security/nss/ http://svnweb.freebsd.org/ports/head/security/ca_root_nss/ http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/ca_root_nss-3.17.3_1.txz Or you can use the Mozilla + parser links I've previously posted. |
