Hannes Erven <h(_dot_)e(_at_)gmx(_dot_)at> writes:
Matthias Andree wrote:
The (justified) complaint was that "nosslcertck" does not exist.
One already can leave sslcertck out.
(I expected that that has the same effect as "nosslcertck"...)
Yes, same effect.
I don't plan to add this option however, because the user might just as
well not use ssl/tls at all to achieve the same purpose.
I'm not going to to take part in new "creating false feeling of
security" games.
Do you say that verfiying ssl certificate fingerprints against known
values does create a false feeling of security?
No, but disabling SSL certificate checking is the wrong way to go -- and
users actually have to obtain the fingerprint via some safe channel, and
there's some hen-and-egg-problem.
My university's ssl certs expired recently, and it took several weeks
for them to get new ones. An intermediate solution was to use self
signed certificates on the servers and publish their fingerprints.
Well, usually they publish fingerprints of their _root_ certificates
they sign with (or at least they should, so as not to publish a dozen
fingerprints for certificates of a dozen central servers).
When fetching mail with fetchmail - even with sslfingerprint and without
sslcertck! - there was on each and every fetching attempt a line written
out: "Warning: self-signed certificate" (or like that)...
Ah, I see the problem. I'll see to fixing this before 6.3.4.
This is even more annoying when you use cron to kick off your poll,
because cron happily sends an email containing the output of
fetchmail.
Cron is inferior to daemon mode, because fetchmail keeps some state
information in daemon mode and sends warnings. OK, cron will also mail
such warnings, but I don't want to hear about "temporary error, try
again later" if it happens just in one out of 6 polls per hour.
It would be kind of you if you could provide more detail on why you feel
that sslfingerprint creates a false feeling of security.
Not sslfingerprint does, but trying to defeat justified warnings does.
Note though, that if there's a man-in-the-middle attack in progress,
that attacker can easily exchange information on web sites, too, to
match the fingerprints to his fake certificates. A placard in a locked
showcase next to the NOC bureau door would work better...
--
Matthias Andree
_______________________________________________
Fetchmail-friends mailing list
Fetchmail-friends(_at_)lists(_dot_)ccil(_dot_)org
http://lists.ccil.org/cgi-bin/mailman/listinfo/fetchmail-friends