SSL fingerprint verification
Daniel Shahaf
d.s at daniel.shahaf.name
Tue Aug 30 21:34:48 BST 2011
Daniel Shahaf wrote on Tue, Aug 30, 2011 at 23:13:16 +0300:
> Sebastian Spaeth wrote on Tue, Aug 30, 2011 at 22:03:45 +0200:
> > On Tue, 30 Aug 2011 17:17:59 +0200, Johannes Stezenbach <js at sig21.net> wrote:
> > > Yes, it is of interest. A few comments, though:
> >
> > Cool.
> >
> > > - I'd prefer SHA-1 over MD5 since MD5 is weaker
> > > (actually SHA-256 might be an even better choice, but MD5 and SHA-1
> > > are commonly used for certificate fingerprints)
> >
> > I don't care which we use. Fortunately we depend on python >=2.5 now and
> > its hashlib has all the algos available. sha1 or sha256 all sounds good
> > to me.
> >
>
> It might be easier to obtain the sha1 fingerprint via other tools, so
> perhaps both sha1 and sha256 could be supported at the same time? ie,
> check whichever of the two is provided?
Perhaps something like
sslfingerprint = sha1:da39a3ee5e6b4b0d3255bfef95601890afd80709 sha16777216:2a
and then in the code:
for word in config.get('sslfingerprint').split():
alg, digest = word.split(':')
obj = getattr(hashlib, alg, None)
if obj:
.. compute the digest using obj ...
More information about the OfflineIMAP-project
mailing list