<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">If you run offlineimap with no UI, then it'll print your server fingerprint to stdout.</span><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
If you're paranoid, run it from a different IP to check if you still get the same fingerprint.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Then copy and paste the fingerprint inside your .rc file, so you tell OI that you allow it to accept this server.</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
To avoid MITM, there is no complete solution, but basically, if you connect from numerous (unrelated) place to the same server and still get the same fingerprint, then you're almost sure you're contacting the right server (unless the MITM is just before the server, but then you can't do anything).</div>
<div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
If you're using SSH, you already know that, it's the same security as with the known_host file.</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)"><br>
</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">Regards,</div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">
Cyril </div><br><div class="gmail_quote">On Wed, Jan 30, 2013 at 8:56 PM, Johannes Kastl <span dir="ltr"><<a href="mailto:mail@ojkastl.de" target="_blank">mail@ojkastl.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Hi everyone,<br>
<br>
as a friend of mine lost some mails, I wanted to get offlineimap<br>
working again (after a long long time, see<br>
<<a href="http://article.gmane.org/gmane.mail.imap.offlineimap.general/4267/" target="_blank">http://article.gmane.org/gmane.mail.imap.offlineimap.general/4267/</a>><br>
from 2011).<br>
<br>
Im still getting the SSL3_GET_SERVER_CERTIFICATE error, so I tried<br>
patching the imaplib2.py<br>
(<<a href="http://permalink.gmane.org/gmane.mail.imap.offlineimap.general/6078" target="_blank">http://permalink.gmane.org/gmane.mail.imap.offlineimap.general/6078</a>>).<br>
Which did change nothing.<br>
<br>
I also have not found a solution to this issue, is there one I have<br>
missed?<br>
<br>
I then found out about the cert_fingerprint setting. Which could be a<br>
solition, but I have some questions, especially as I am no SSL-expert:<br>
<br>
1. How to generate the fingerprint?<br>
> openssl x509 -fingerprint -noout -in file.pem<br>
where file.pem is generated with<br>
> openssl s_client -connect <a href="http://imap.gmx.net:993" target="_blank">imap.gmx.net:993</a> -CApath<br>
> /System/Library/OpenSSL/ -showcerts | perl -ne 'print if<br>
> /BEGIN/../END/; print STDERR if /return/' > file.pem<br>
<br>
2.<br>
How to check if the fingerprint generated is really the right one?<br>
<br>
3. Connecting to the host via "openssl s_client -connect ..." shows a<br>
"Verify return code: 0 (ok)" which should mean the ssl-server uses the<br>
right certificate (when using file.pem)?<br>
<br>
4. Is using the cert_fingerprint enough to ensure that there is A) a<br>
connection via SSL and B) there is no man-in-the-middle?<br>
<br>
Sorry if these are stupid questions, but these are pretty important to me.<br>
<br>
Thanks in advance.<br>
<br>
Regards,<br>
Johannes<br>
<br>
P.S. Im on OSX 10.8 with the latest files from "git pull".<br>
- --<br>
`because it's taking about five hours for the public to get to their<br>
gold at the moment, the goblins have thightened security so much. Two<br>
days ago Arkie Philpott hat a Probity Probe stuck up his ... well,<br>
trust me, this way's easier.ᄡ (Bill Weasley in Harry Potter 6)<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.13 (Darwin)<br>
Comment: Using GnuPG with SeaMonkey - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
iEYEARECAAYFAlEJevcACgkQzi3gQ/xETbJehwCdHs2lRL85dPwALiOYmHgevb93<br>
pOMAoIYfYiyempLlXnQHInIOwJoTdoBI<br>
=6/4n<br>
-----END PGP SIGNATURE-----<br>
<br>
<br>
_______________________________________________<br>
OfflineIMAP-project mailing list<br>
<a href="mailto:OfflineIMAP-project@lists.alioth.debian.org">OfflineIMAP-project@lists.alioth.debian.org</a><br>
<a href="http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project" target="_blank">http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project</a><br>
<br>
OfflineIMAP homepage: <a href="http://software.complete.org/offlineimap" target="_blank">http://software.complete.org/offlineimap</a></blockquote></div><br>