SSL fingerprint verification

Johannes Stezenbach js at
Tue Aug 30 23:14:27 BST 2011

On Tue, Aug 30, 2011 at 11:09:01PM +0200, Sebastian Spaeth wrote:
> Your webbrowser can verify that a certificate is valid because it has
> built in a list of CA Certificates that it uses for verification. This
> works unless (see today's news) some CA is misled into signing fake
> certificates. If some CA cert expires or is added, you need to update
> your, say Firefox, to be able to use it. You can also only verify those
> https sites which have been signed
> by the few selected CAs that are in your webbrowser list. If your server
> has been signed by say or even a self-signed certificate, you
> are mostly out of luck. 

Additionally most browsers check for revoked certs using OCSP,
and they have a built-in blacklist of some compromised certs.

> OfflineImap has no such list of CA Certificates built-in, nor does it
> want to get into the business of bundling them (or we would need to
> update the software every time a rogue certificate has been found). This
> is why there is a CA Certfile setting to point offlineimap to the
> relevant CA certs (either installed system wide or locally). There is no
> standard as to where to install the Certs system wide...

I think most Linux distributions have the ca-certificates
package which provides a bundle similar to what webbrowsers have
in /etc/ssl/certs/ca-certificates.crt.  But as the DigiNotar
disaster shows it is not a good idea to use the full bundle for IMAP.
It's better to use just the one CA cert you need and hopefully trust.


More information about the OfflineIMAP-project mailing list