Re: [Fetchmail-users] set sha1 fingerprint checking correctly on fetchmail

[grarpamp <gra...@gm...>]

On Tue, Oct 3, 2017 at 10:09 AM, Globe Trotter via Fetchmail-users
<fet...@li...> wrote:
> $openssl s_client -connect pop.gmx.com:995 | openssl x509 -in /dev/stdin -sha1 -noout -fingerprint
> SHA1 Fingerprint=4D:69:52:FB:5F:18:34:5E:02:E2:7D:B5:95:B8:BD:3E:E1:8F:FD:F8

> fetchmail: 6.3.26 querying pop.gmx.com (protocol POP3) at Mon 02 Oct 2017 11:24:50 PM CDT: poll started
> fetchmail: pop.gmx.com key fingerprint: 6F:3E:88:EF:14:35:2C:69:7A:22:03:C8:2B:90:B3:8C
> fetchmail: pop.gmx.com fingerprints do not match!

That's because the world's defaults have moved to sha1 or better,
(an understanding demonstrated in your example command line above),
while all branches of fetchmail still use only the long ago
broken and deprecated MD5 in its configuration.

Downgrade to the broken MD5 representation,
or make fetchmail 7.x an actual thing.
The latter being the much preferred outcome :)