SSL fingerprint verification

Sebastian Spaeth Sebastian at SSpaeth.de
Wed Aug 31 14:23:29 BST 2011


On Wed, 31 Aug 2011 00:14:27 +0200, Johannes Stezenbach <js at sig21.net> wrote:
> I think most Linux distributions have the ca-certificates
> package which provides a bundle similar to what webbrowsers have
> in /etc/ssl/certs/ca-certificates.crt.  But as the DigiNotar
> disaster shows it is not a good idea to use the full bundle for IMAP.
> It's better to use just the one CA cert you need and hopefully trust.

Ahh, that would be nice to have them at a central location across
distros. In any case, our python module only takes a single file, so we
would need to concatenate all the certs ourselves and feed that to
python, so that approach wouldn't make lots of sense. Also I am not sure
that most SSL/TLS IMAP servers are signed with those mainstream web CA
certs. My dreamhost mail server certainly isn't.

In any case, cert fingerprinting and pointing a setting to the relevant
cert doesn't sound too bad to me. It makes verification more explicit
which is not necessarily a bad thing...

Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20110831/f1bc15f3/attachment-0001.sig>


More information about the OfflineIMAP-project mailing list