On Sat, Apr 17, 2004 at 10:26:06AM +0100, Brian Candler wrote:
fetchmail: Server CommonName mismatch: webmail.example.com !=
pop3.example.com
fetchmail: Server CommonName mismatch: webmail.example.com !=
pop3.example.com
fetchmail: Server CommonName mismatch: webmail.example.com !=
pop3.example.com
Ah. fetchmail -v shows the actual SSL errors:
fetchmail: Issuer Organization: Thawte Consulting cc
fetchmail: Issuer CommonName: Thawte Server CA
fetchmail: Server CommonName: webmail.example.com
fetchmail: Server CommonName mismatch: webmail.example.com != pop3.example.com
fetchmail: pop3.example.com key fingerprint:
9B:04:3A:0A:08:65:16:DB:87:66:8C:30:0F:98:13:61
fetchmail: Warning: server certificate verification: unable to get local issuer
certificate
fetchmail: Issuer Organization: Thawte Consulting cc
fetchmail: Issuer CommonName: Thawte Server CA
fetchmail: Server CommonName: webmail.example.com
fetchmail: Server CommonName mismatch: webmail.example.com != pop3.example.com
fetchmail: Warning: server certificate verification: certificate not trusted
fetchmail: Issuer Organization: Thawte Consulting cc
fetchmail: Issuer CommonName: Thawte Server CA
fetchmail: Server CommonName: webmail.example.com
fetchmail: Server CommonName mismatch: webmail.example.com != pop3.example.com
fetchmail: Warning: server certificate verification: unable to verify the first
certificate
So, as far as I can work out:
- fetchmail is returning "ok" to each verification callback request, since
we're not insisting on the checks passing
- openssl is calling the verify callback several times for the same
certificate
- openssl's own verification is failing because I have no root certificates
installed
Right, I have now put the openssl set of root certificates in a directory,
run c_rehash on them, and run
fetchmail -v --sslcertpath=/path/to/certs
and it still doesn't work.
Aha: it seems fetchmail's sslcertpath option currently does nothing unless
sslcertck is also set (which I don't want). This is easily fixed:
--- socket.c.orig Fri Oct 10 11:32:15 2003
+++ socket.c Sun Apr 18 14:28:48 2004
@@ -960,13 +960,13 @@
if (certck) {
SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER,
SSL_ck_verify_callback);
- if (certpath)
- SSL_CTX_load_verify_locations(_ctx, NULL, certpath);
} else {
/* In this case, we do not fail if verification fails. However,
* we provide the callback for output and possible fingerprint
checks. */
SSL_CTX_set_verify(_ctx, SSL_VERIFY_PEER,
SSL_nock_verify_callback);
}
+ if (certpath)
+ SSL_CTX_load_verify_locations(_ctx, NULL, certpath);
_ssl_context[sock] = SSL_new(_ctx);
Now if I give --sslcertpath I only see the Server CommonName mismatch error
once (because OpenSSL happily verifies the connection all the way to the
root certificate, so the only error is the name mismatch). This is good.
OK, well this has been an interesting journey of discovery about openssl.
I'm not sure what this means for fetchmail though: perhaps the CN mismatch
error should only be printed if certck is enabled. Otherwise, perhaps a flag
should be set so that it only gets printed once.
Sorry if this is of little interest to the majority of fetchmail users! Just
something that has been bugging me for a while...
Cheers,
Brian.