#9 fingerprint check

open
nobody
None
5
2014-04-10
2010-09-23
Ben Kibbey
No

borrowed heavily from the fetchmail source. this checks the fingerprint of the server against a colon separated hex string of a user specified MD5 hash. Adds configuration settings Fingerprint and CheckFingerprint.

Discussion

  • Oswald Buddenhagen

    i pushed a modified version of your patch to an experimental 'ssl-fprint' branch in the git repo.
    the master branch already contains some improvements of ssl certificate handling. please verify the continued usefulness of the functionality and rebase or discard the patch accordingly.

     
  • Ben Kibbey

    Ben Kibbey - 2010-09-29

    The revised patch is against your master branch. Sorry for not doing this to
    begin with.

     
  • Oswald Buddenhagen

    so, now i finally looked at this. :}
    the patch verifies that the fingerprint of a certificate which was already confirmed to be good matches - i'm not quite sure what this is supposed to be good for?

     
  • Ben Kibbey

    Ben Kibbey - 2012-08-26

    The original check verifys the certificate chain only. The server certificate may have been replaced with another and the patch would detect this.

     
  • Oswald Buddenhagen

    huh, somehow i missed your response.
    i don't really see the point. if you are worried about mbsync accepting only exactly one specific certificate, feed it via CertificateFile. that seems easier than extracting the fingerprint.

     
    • Ben Kibbey

      Ben Kibbey - 2013-07-27

      Well, I use it in conjunction with pwmd along with shared fetchmail elements and this just makes things easier is all.

       
  • Ben Kibbey

    Ben Kibbey - 2014-04-10

    The CertificateFile docs say:

    "File containing additional X.509 certificates used to verify server identities. Directly matched peer certificates are always trusted, regardless of validity.

    Note that the system's default certificate store is always used and should not be specified here."

    The additional and "system's default" wording makes it seem as if I wouldn't be able to tell if the server I am connecting to changes certificates or not. Only whether the certificate is valid. The heartbleed SSL bug is a good example of this feature being useful.

     
  • Oswald Buddenhagen

    this is correct, but then it would seem more in order to have an option to disable loading of the default root certificate store, rather than burdening the user with a manual check, no?

     
  • Ben Kibbey

    Ben Kibbey - 2014-04-10

    Either option would work. For me though, the fingerprint check is better because fetchmail uses the same method. :)

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks