SSL fingerprint verification
Sebastian Spaeth
Sebastian at SSpaeth.de
Tue Aug 30 12:19:37 UTC 2011
I found some time to implement SSL server fingerprint verification. If
we connect via SSL (not STARTTLS), and we have no CA certificate
specified for verification, we will check the server SSL cert
fingerprint. If it doesn't match a fingerprint string that the user has
configured we bail out with an error:
ERROR: Server SSL fingerprint '17f7f2ff4a9dc3d32b8ae91247c4a428' for
hostname 'mail.dreamhost.com' does not match configured
fingerprint. Please verify and set 'sslfingerprint' accordingly if not
set yet.
This means you need to configure:
sslfingerprint = 17f7f2ff4a9dc3d32b8ae91247c4a428
in the repository section of your mail server. This check is performed
every time we connect to the server.
The fingerprint is the md5.hexdigest() of the binary SSL server cert.
Would something like this be of interest? Feedback? Patch as reply...
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/offlineimap-project/attachments/20110830/a523e16d/attachment.pgp>
More information about the OfflineIMAP-project
mailing list