Menu
▾
▴
Re: [Fetchmail-devel] set sha1 fingerprint checking correctly on fetchmail
|
From: grarpamp <gra...@gm...> - 2017-10-04 04:16:40
|
>> My mail service provider gmx.com recently appears to have changed their fingerprint to SHA1 (I am guessing) as a result of which my fetchmail has stopped working. > > No. Fetchmail 6.3.26 will use MD5 fingerprints no matter what. If under the same fetchmail config, gmx was working before, then gmx quit working with fingerprint error, then gmx either swapped their cert out for something else, or they're under attack, or you're under attack. That's why certificate pinning exists... to help detect that. You can usually verify a cert swap by manually consulting an observatory or the service provider, or if CA is trusted. Attacks are usually more transient such as via Tor, coffee shops, foreign lands, and governments as with FinFisher and Skype / WhatsApp, etc. Your updated config quit because fetchmail only supports the broken MD5 hash function over the cert. Openssl thus fetchmail's fingerprint is over the public cert DER form itself, similar idea as making a hash of some file on your disk. > Given that you can only specify one > fingerprint, for big sites such as GMX If a service has two or more certs, yes that would be a pain. We see it with web services like wikipedia. And gmail's global rollout is known to not happen all at the same time. I suspect a proper survey, or checking the observatories, would probably find more instances of affected email services. > it's /currently/ better to use --sslcertck and rely on certificate checking. So long as you don't care about trusting the root CA's and MITM's, both of which have occured in the past. Probably also want to read up on DNSSEC to cover that part too. At least if your mail is sensitive. Most people don't care. Don't remember if you can pin down just google's intermediate CA with a fetchmail fingerprint to let their service cert float, but do think you can put it in a cert file on disk. It's one step removed from pinning a cert to a specific server, but does save hacking config on every cert change. 7.x should have both cert and modular config enhancements on the roadmap somewhere. Feel free to pick them up from the list and bugtracker and get them / 7.x moving. |
