Menu
▾
▴
Re: [Fetchmail-users] fetchmail and ssl certificates
|
From: Matthias A. <mat...@gm...> - 2020-07-09 10:33:08
|
Am 07.07.20 um 14:00 schrieb Ranjan Maitra: > On Thu, 2 Jul 2020 21:13:00 +0200 Matthias Andree <mat...@gm...> wrote: > >> Am 02.07.20 um 15:28 schrieb Ranjan Maitra: >>> Hi, >>> >>> Here is my .fetchmailrc >>> >>> set daemon 301 >>> poll pop.gmx.com >>> protocol POP3 >>> service 995 >>> authenticate password >>> user "use...@gm..." >>> ssl >>> sslfingerprint "5C:6B:60:FE:80:97:0B:13:EB:36:A3:66:48:28:7A:61:5E:B2:25:DA" >>> mda 'procmail -d %s' >>> keep >>> >>> ... >>> verify return:1 >>> SHA1 Fingerprint=5C:6B:60:FE:80:97:0B:13:EB:36:A3:66:48:28:7A:61:5E:B2:25:DA >>> >>> Any suggestions as to what I am doing wrong? >>> >>> I am on F32 (fully updated) which has fetchmail-6.4.1 and openssl-1:1.1.1g. >>> >>> Many thanks, >>> Ranjan >> Perhaps they have corrected the issue, because I currently get this with >> -cvv and the subjectAltName seems to cover their usage. >> >> ... >> fetchmail: pop.gmx.com key fingerprint: >> A5:6D:6D:D4:2D:BE:4D:F5:0A:3A:DD:3E:A6:C2:D3:E8 >> fetchmail: SSL/TLS: using protocol TLSv1.3, cipher >> TLS_AES_256_GCM_SHA384, 256/256 secret/processed bits >> fetchmail: POP3< +OK POP server ready H migmx003 1M7L3e-1jjMxZ1u5E-007l8Y >> ... >> > Thank you for this. I have changed my fingerprint to match what you write, and this seems to work. It is interesting why the other command > gives an incorrect fingerprint. Ranjan, It is not incorrect, but calculated differently, with a different hash function. The default fetchmail fingerprint in 6.3 and 6.4 is MD5 (which IS specified in the manual page of 6.4.x in the prose describing --sslcertck), while your OpenSSL command output shows an SHA1 hash and was not obtained with the suggested openssl command line from the manual. I found one place in the manual where I've added the MD5 name, but that's not yet released. Should appear in 6.4.9 if one is needed or else the next 6.5.x. Fetchmail 6.X shall continue to use MD5 for compatibility reasons, but we'll need to change that to a more secure hash in a future fetchmail version, and also mention what hash is being used to avoid confusion. Regards, Matthias |
