SSL fingerprint verification
Sebastian Spaeth
Sebastian at SSpaeth.de
Tue Aug 30 21:03:45 BST 2011
On Tue, 30 Aug 2011 17:17:59 +0200, Johannes Stezenbach <js at sig21.net> wrote:
> Yes, it is of interest. A few comments, though:
Cool.
> - I'd prefer SHA-1 over MD5 since MD5 is weaker
> (actually SHA-256 might be an even better choice, but MD5 and SHA-1
> are commonly used for certificate fingerprints)
I don't care which we use. Fortunately we depend on python >=2.5 now and
its hashlib has all the algos available. sha1 or sha256 all sounds good
to me.
> - IMHO "certfingerprint" would be a better name than "sslfingerprint"
I don't have strong opinions, but all the other crypt-related settings
start with ssl*. I would even be fine with just "server-sha1"
"fingerprint" or whatever makes most sense.
> - cert fingerprint check is a stronger check than CA certificate
> chain validation ("exactly this cert" vs. "any valid cert for X"),
> so if both are configured the fingerprint check needs to be done.
Again, I don't care (although I do believe that *if* a CA cert file is
specified and it verifies fine, we should be good), but as far as I am
concerned we can always check a fingerprint if it is configured in the
settings. No problem.
(actually I would rather like to automatically store it in some kind of
cache, and have the user only "(a)ccept" it like mutt does, but forcing
to set the fingerprint as a setting sounds ok for me for now.)
I will adapt the patch and resent once the queue of outstanding patches
has shrunk a little.
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20110830/d626b5a3/attachment-0001.sig>
More information about the OfflineIMAP-project
mailing list