Menu
▾
▴
Re: [Fetchmail-users] Constantly changing ssl fingerprints
|
From: Martin K. <mk...@gm...> - 2015-01-26 11:26:50
|
Hi Jerry, On Sun, 25 Jan 2015, Jerry wrote: > On Sun, 25 Jan 2015 19:48:25 +0100 (CET), Martin Koeppe stated: > >>>>>> user 'us...@gm...' there with password 'SECRET' options forcecr >>>>>> dropdelivered smtpname ssl sslcertpath /usr/local/etc/postfix/certs >>>>>> sslfingerprint '26:85:9C:DD:04:26:70:C2:20:0A:A0:A2:24:E4:CF:30' >> >> why socomplicated? I use this snippet: >> >> defaults: >> proto pop3 timeout 300 sslproto 'TLS1' ssl >> sslcertfile /usr/ssl/certs/ca-bundle.trust.crt >> sslcertck >> limit 50000000 warnings 86400 >> >> >> As pop.google.com has an "official" certificate, there is no need for >> a fingerprint check. Just let fetchmail know your root ca certs. I >> only use sslfingerprint for self-signed certs, as an override where >> root ca cert verification fails. You don't seem to use sslcertck, but >> better you should. >> >> Martin > > That doesn't work here: > > fetchmail: Server certificate verification error: unable to get local issuer certificate > fetchmail: Broken certification chain at: /C=US/O=Equifax/OU=Equifax Secure Certificate Authority > fetchmail: This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about. For details, please see the README.SSL-SERVER document that ships with fetchmail. > fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. > fetchmail: OpenSSL reported: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > fetchmail: SSL connection failed. > fetchmail: socket error while fetching from ad...@se...@pop.gmail.com > fetchmail: Query status=2 (SOCKET) seems you have some box on the way to Google which does man-in-the-middle. I see the certificate for pop.gmail.com signed from "Google Internet Authority G2" (sha1 fingerprint: bb dc e1 3e 9d 53 7a 52 29 91 5c b1 23 c7 aa b0 a8 55 e7 98) which in turn is signed by "GeoTrust Global CA" (sha1 fingerprint: de 28 f4 a4 ff e5 b9 2f a3 c5 03 d1 a3 49 a7 f9 96 2a 82 12). No "Equifax" at all. Martin |
