SSL fingerprint verification
d.s at daniel.shahaf.name
Tue Aug 30 17:31:32 BST 2011
Johannes Stezenbach wrote on Tue, Aug 30, 2011 at 17:17:59 +0200:
> - cert fingerprint check is a stronger check than CA certificate
> chain validation ("exactly this cert" vs. "any valid cert for X"),
> so if both are configured the fingerprint check needs to be done.
Wait a minute. I configured an sslcacertfile that has a chain of three
certificates; Sebastian's patch validates the digest of the first
certificate in the chain; so why would the latter check --- which
involves strictly less information (less certs, and only the digest
rather than the full cert) --- be stronger?
> It is useful to do both since the fingerprint check alone
> won't check e.g. expiration dates (but sometimes this is exactly
> what you want, if you trust the cert even if it is invalid/expired
> e.g. because you have created it yourself)
Or simply because $ISP have forgotten to install the new cert and the
old one just expired this morning and you want to check mail before
boarding a plane...
More information about the OfflineIMAP-project