SSL fingerprint verification

Sebastian Spaeth Sebastian at
Tue Aug 30 21:03:45 BST 2011

On Tue, 30 Aug 2011 17:17:59 +0200, Johannes Stezenbach <js at> wrote:
> Yes, it is of interest.  A few comments, though:

> - I'd prefer SHA-1 over MD5 since MD5 is weaker
>   (actually SHA-256 might be an even better choice, but MD5 and SHA-1
>   are commonly used for certificate fingerprints)

I don't care which we use. Fortunately we depend on python >=2.5 now and
its hashlib has all the algos available. sha1 or sha256 all sounds good
to me.

> - IMHO "certfingerprint" would be a better name than "sslfingerprint"

I don't have strong opinions, but all the other crypt-related settings
start with ssl*. I would even be fine with just "server-sha1"
"fingerprint" or whatever makes most sense.
> - cert fingerprint check is a stronger check than CA certificate
>   chain validation ("exactly this cert" vs. "any valid cert for X"),
>   so if both are configured the fingerprint check needs to be done.

Again, I don't care (although I do believe that *if* a CA cert file is
specified and it verifies fine, we should be good), but as far as I am
concerned we can always check a fingerprint if it is configured in the
settings. No problem.
(actually I would rather like to automatically store it in some kind of
cache, and have the user only "(a)ccept" it like mutt does, but forcing
to set the fingerprint as a setting sounds ok for me for now.)

I will adapt the patch and resent once the queue of outstanding patches
has shrunk a little.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <>

More information about the OfflineIMAP-project mailing list