Re: [Fetchmail-users] ssl config

[Matthias A. <mat...@gm...>]

Am 09.05.2015 um 01:09 schrieb Joe Acquisto-j4:
>>>> On 5/8/2015 at 10:41 AM, Matthias Andree <mat...@gm...> wrote:
>> Am 07.05.2015 um 22:20 schrieb Joe Acquisto-j4:
>>>>>> Matthias Andree <mat...@gm...> 05/07/15 2:51 PM >>>
>>> Am 07.05.2015 um 01:09 schrieb Joe Acquisto-j4:
>>>> As my provider is soon going exclusively to ssl/tls, I need to finally get 
>> fetchmail configured correctly for certs.
>>>>
>>>> I am seeing this: fetchmail: Server certificate verification error: 
>> certificate signature failure
>>>>
>>>> I checked and the cert is expired.  Could that be it?
>>>>
>>>> Also, my fetchmail is probably well out of date, and I expect some public 
>> shaming, so to facilitate that:
>>>>
>>>> This is fetchmail release 
>> 6.3.2+POP2+IMAP-GSS+RPA+NTLM+SDPS+SSL+OPIE+SOCKS+NLS
>>>>
>>>> I am prepared.  I think.
>>>
>>> I think I fixed certificate-check-related bugs in the 24 releases since
>>> then... but with expired certificates the provider is putting shame on
>>> itself, too.
>>>
>>> Twenty four since the version I'm using?  (look of shame).   
>>>
>>> Anyway, the error message is related to the *providers* cert, not me?
>>
>> First of all, use mail software that can attribute and indent quoted
>> material properly.
>>
>> Then, yes, it's time to upgrade - I do not recall what 6.3.2 did wrong,
>> and I am inclined to let people (i. e. you) read the NEWS file of a
>> newer version by themselves to figure out what got repaired...
>> at the very least, you will get clearer SSL/TLS error reporting out of
>> newer versions, so you can then assess the situation better.
>>
> 
> So running 6.3.26 now.  Downloaded it a while back, actually,
> 
> 
> Below is a snippet:
> 
> fetchmail: POP3< .
> fetchmail: POP3> STLS
> fetchmail: POP3< +OK Begin TLS negotiation now.
> fetchmail: Issuer Organization: GeoTrust, Inc.
> fetchmail: Issuer CommonName: RapidSSL CA
> fetchmail: Server CommonName: *.myisp.com
> fetchmail: Subject Alternative Name: *.myisp.com
> fetchmail: Subject Alternative Name: myisp.com
> fetchmail: mail.bravehost.com key fingerprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
> fetchmail: Server certificate verification error: certificate signature failure
> fetchmail: POP3> CAPA
> fetchmail: POP3< +OK
> 
> 
> Mail does get fetched and delivers locally as before.  The other end is, supposedly, configured to do ssl/tls only.  May I infer (correctly!)
> it is using TLS despite the message?

It is continuing to use TLS, but the certificate verification is failed,
and thus something is messing up the security layer.

Add --sslcertck to have fetchmail abort in this situation.
(You can put a "default" entry into the rcfile, see the manual for details.)

Now, what OpenSSL version are you using? Is it some 1.0.0 or 1.0.1
version?  It should be, 0.X.Y versions are way out of date.

NOTE: You may need to recompile fetchmail after upgrading OpenSSL.