Nerijus Baliunas <nerijus(_at_)users(_dot_)sourceforge(_dot_)net> writes:
On Mon, 3 Apr 2006 07:12:54 +0100 Rob MacGregor
<rob(_dot_)macgregor(_at_)gmail(_dot_)com> wrote:
Just a message in logs - Server certificate verification error: self
signed certificate.
If it is not possible to avoid this message, is there some easy info (in
wiki?)
on how to import self signed certificates?
I seem to recall some OpenSSL documentation on the issue (as this is
an OpenSSL "problem"). You'll have to go digging yourself I'm afraid
as I don't remember any more than that.
OK, so when sslcertck option is made default in the future, either of the
following should be done:
switch added, which can disable sslcertck.
It's already there and called "sslfingerprint". It's merely a
workaround, but at least it prevents connections when the certificate
changed.
Specify sslfingerprint, alongside a quoted string,
for instance this might be in .fetchmailrc:
sslfingerprint "99:A9:55:D9:F5:51:F9:40:CC:A4:C6:26:A2:8E:46:14"
and do *not* specify sslcertck. The finger print is shown if you run
fetchmail with -v option. (At least for recent versions.)
Then call the provider or fax him to ask for the POP3 or IMAP server
certificate fingerprint (as obtained by
"openssl x509 -in server-cert.pem -noout -md5 -fingerprint",
where server-cert.pem contains the server certificate as you already
guessed) and then compare them. If they match, fine. If they do not
match, find the eavesdropper and get rid of him.
an easy documentation how to import certificates written.
1. be sure to use a recent fetchmail version, 6.3.2 or newer.
Older versions have security bugs (unless patched by your vendor),
and they do not set the default --sslcertpath properly.
2. Local certification authorities, if the ISP didn't have their server
certificate signed by some renowned trust center, would usually
provide root certificates for download.
Download the root certificate, then do either of a or b (just one is
sufficient):
a) install the *root* certificate of the signature chain into
/etc/ssl/certs or the default directory and run c_rehash
b) install the *root* certificate of the signature chain into
some directory, run c_rehash on that directory, and finally
add sslcertpath "/MY/CERT/PATH" to the fetchmailrc.
Of course, you need to change /MY/CERT/PATH and type the
actual location THERE.
If the certificate isn't in the right format, openssl x509 can be used
to convert it to the right format. Details in the x509(1ssl) manual.
I'm not sure if the above procedure works with server certificates, but
it's much less useful since it would establish trust only for the server
certificate -- and you still need to verify *that*. sslfingerprint would
be easier in this case.
--
Matthias Andree
_______________________________________________
Fetchmail-friends mailing list
Fetchmail-friends(_at_)lists(_dot_)ccil(_dot_)org
http://lists.ccil.org/cgi-bin/mailman/listinfo/fetchmail-friends