SSL fingerprint verification

Daniel Shahaf d.s at
Tue Aug 30 17:31:32 BST 2011

Johannes Stezenbach wrote on Tue, Aug 30, 2011 at 17:17:59 +0200:
> - cert fingerprint check is a stronger check than CA certificate
>   chain validation ("exactly this cert" vs. "any valid cert for X"),
>   so if both are configured the fingerprint check needs to be done.

Wait a minute.  I configured an sslcacertfile that has a chain of three
certificates; Sebastian's patch validates the digest of the first
certificate in the chain; so why would the latter check --- which
involves strictly less information (less certs, and only the digest
rather than the full cert) --- be stronger?

>   It is useful to do both since the fingerprint check alone
>   won't check e.g. expiration dates (but sometimes this is exactly
>   what you want, if you trust the cert even if it is invalid/expired
>   e.g. because you have created it yourself)

Or simply because $ISP have forgotten to install the new cert and the
old one just expired this morning and you want to check mail before
boarding a plane...

More information about the OfflineIMAP-project mailing list