Menu
▾
▴
Re: [Fetchmail-users] sslfingerprint: needs to match any of multiple listed fingerprints
|
From: grarpamp <gra...@gm...> - 2017-02-19 20:45:53
|
On Sun, Feb 19, 2017 at 2:36 PM, Matthias Andree <mat...@gm...> wrote: > TLS1.2 into a formal release that won't hicc-up the day TLS1.3 appears, If the client is speaking 1.2 to a 1.3 capable server that still offers 1.2 (or below), is any hiccup expected to happen? > authoritative. Are your ISP faxing their finger prints to you? Out of band could happen in relatively unchanging deployments, perhaps corporate environments. Also rare would be pgp signed cert statements that web of trust back to you. I've seen some services that post them on a webserver for download, like the CA's do with their roots. It's not exactly out of band, but is better than only receiving them via each TLS connection itself. Then you have the cert observatory projects. Google for example is notorious for server cert churn, under three months. However it has it's own long term intermediate CA signed by a root, and that int-CA is reasonably verifiable. Users could just trust those int-CA fingerprints and let all the server certs they sign pass as ok, which is what browsers do. Don't know if fetchmail supports that mode of checking but it would be useful (in sslfingerprint and in cert file). https://pki.google.com/GIAG2.crt |
