Menu
▾
▴
Re: [Fetchmail-devel] set sha1 fingerprint checking correctly on fetchmail
|
From: Matthias A. <mat...@gm...> - 2017-10-03 23:36:05
|
Am 03.10.2017 um 15:42 schrieb Globe Trotter via Fetchmail-devel: > Hi, > > My mail service provider gmx.com recently appears to have changed their fingerprint to SHA1 (I am guessing) as a result of which my fetchmail has stopped working. No. Fetchmail 6.3.26 will use MD5 fingerprints no matter what. > Here is the fingerprint I get: > $openssl s_client -connect pop.gmx.com:995 | openssl x509 -in /dev/stdin -sha1 -noout -fingerprint You're asking OpenSSL for the SHA1 fingerprint, but you need the MD5 fingerprint, as specified in fetchmail's manual page, and that's what you get in the "mismatch" reporting. Given that you can only specify one fingerprint, for big sites such as GMX it's /currently/ (in fetchmail 6.3.X) better to use --sslcertck and rely on certificate checking. You need to install the root certificate though, most distributions have a package such as ca-certificates, nss_root_ca, or similar, and it should Just Work™. Also see README.SSL as shipped with fetchmail. |
