Matthias Andree wrote:
Not necessarily. When checking the certificate's fingerprint with
sslfingerprint, nosslcertck should suppress all warnings about
incomplete certificate chains.
The (justified) complaint was that "nosslcertck" does not exist.
One already can leave sslcertck out.
(I expected that that has the same effect as "nosslcertck"...)
I don't plan to add this option however, because the user might just as
well not use ssl/tls at all to achieve the same purpose.
> I'm not going to to take part in new "creating false feeling of
> security" games.
Do you say that verfiying ssl certificate fingerprints against known
values does create a false feeling of security?
In what respect is this less safe than a certificate chain?
My university's ssl certs expired recently, and it took several weeks
for them to get new ones. An intermediate solution was to use self
signed certificates on the servers and publish their fingerprints.
When fetching mail with fetchmail - even with sslfingerprint and without
sslcertck! - there was on each and every fetching attempt a line written
out: "Warning: self-signed certificate" (or like that)...
This is annoying - especially because I had taken care of verifying the
certificate myself by adding the fingerprint to the poll specification.
This is even more annoying when you use cron to kick off your poll,
because cron happily sends an email containing the output of fetchmail.
Normally its empty, but with sslfingerprint and self signed certificates
you get a warning email for each and every poll. (Needless to say that
real problems, like socket errors, are well hidden in that constant
flood of email...)
Perhaps I misunderstood something or missed some point, but I as far as
I know verifying an ssl fingerprint is at least as secure as checking a
certification path.
(There are several cases known where a CA happily issued certificates to
"wrong" people... creating a certificate for a known sslfingerprint
seems to be much harder).
It would be kind of you if you could provide more detail on why you feel
that sslfingerprint creates a false feeling of security.
Best regards,
-hannes
_______________________________________________
Fetchmail-friends mailing list
Fetchmail-friends(_at_)lists(_dot_)ccil(_dot_)org
http://lists.ccil.org/cgi-bin/mailman/listinfo/fetchmail-friends