<table cellspacing="0" cellpadding="0" border="0"><tr><td valign="top"><div id='yahoo__compose_area' style="background-color:white; display:block; font-family:HelveticaNeue-Regular,Helvetica;">There should be a standard method to get OpenSSL to download and use the current full set of public root CA certs !<br><br><br></div><div id='yahoo__original_message' class='yQTDBase'><br><blockquote style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex; ">At May 18, 2015, 3:17:50 PM, Lucien Pullen<'drurowin@gmail.com'> wrote:<div id="msgSandbox_AOt2w0MAAAKGVVo63gdyQJJ0PXY" class="msgSandbox" style="padding: 1.5em 0.5em 0.5em 1.2em; word-wrap: break-word;">Also sprach Rainer M Krug on 2015-05-18:<br clear="none">> "M. Henry Linder" <<a shape="rect" ymailto="mailto:mhlinder@gmail.com" href="javascript:return">mhlinder@gmail.com</a>> writes:<br clear="none">><br clear="none">>> Lucien<br clear="none">>><br clear="none">>> Thanks for the response.
 OpenSSL wasn’t doing The Right Thing, and a<br clear="none">>> variety of other fixes weren’t working either—various certs downloaded<br clear="none">>> offline, etc.<br clear="none">>><br clear="none">>> What ended up working was just dumping all the Keychain System Roots<br clear="none">>> certs to a PEM file<br clear="none">>> (<a shape="rect" href="http://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x" target="_blank">http://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x</a><br clear="none">>> <<a shape="rect" href="http://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x" target="_blank">http://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x</a>>),<br clear="none">>> which feels a bit hacky but at least works<br clear="none">><br clear="none">> I did exactly the same, and I agree it feels hacky.<br clear="none">><br clear="none">> I have no idea about python, but wouldn't it be possible
 that<br clear="none">> offlineimap could directly read the certificate from the keychain if<br clear="none">> told to do so? This would be very helpful (and presumably safer -<br clear="none">> consider updates of the certificates!)<br clear="none"><br clear="none">I'm looking into the relevant bits in the source and learning more about<br clear="none">security(1).  I'm gonna try to put together a working code fragment that<br clear="none">lets me connect using just "GeoTrust Global CA", which is the CA Google<br clear="none">uses[1] and the closest thing that Macintosh ships with.  Next up I may<br clear="none">make it more general to support giving offlineimap the name of the CA<br clear="none">instead of hard-coding the thing to make Google work.<br clear="none"><br clear="none">^1 <<a shape="rect" href="https://pki.google.com/" target="_blank">https://pki.google.com/</a>><div class="yQTDBase yqt6232080751" id="yqtfd29222"><br clear="none"><br
 clear="none">_______________________________________________<br clear="none">OfflineIMAP-project mailing list: <a shape="rect" ymailto="mailto:OfflineIMAP-project@lists.alioth.debian.org" href="javascript:return">OfflineIMAP-project@lists.alioth.debian.org</a><br clear="none"><a shape="rect" href="http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project" target="_blank">http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project</a><br clear="none"><br clear="none">OfflineIMAP homepages:<br clear="none">- <a shape="rect" href="https://github.com/OfflineIMAP" target="_blank">https://github.com/OfflineIMAP</a><br clear="none">- <a shape="rect" href="http://offlineimap.org" target="_blank">http://offlineimap.org</a></div></div><div></div></blockquote></div></html></td></tr></table>