cert_fingerprint errors on upgrade

Guido Berhoerster gber at opensuse.org
Wed Jun 6 15:44:05 BST 2012


* sebastian at sspaeth.de <sebastian at sspaeth.de> [2012-06-06 08:55]:
> Many of you will experience an "error" like this on upgrading OfflineImap:
>     Establishing connection to imap.gmail.com:993
>     ERROR: Server SSL fingerprint 'f3043dd689a2e7dddfbef82703a6c65ea9b634c1'
>     for hostname 'imap.gmail.com' does not match configured fingerprint.
>     Please verify and set 'cert_fingerprint' accordingly if not set yet.
> This error is no error, but the new feature of OfflineIMap to actually
> perform a check of the SSL certificate of the IMAP server you connect to.
> YOu can either set a CA certificate to verify it, or -absent a CA
> certificate- you need to store the "fingerprint" of the SSL certificate in
> your offlineimap.conf to make sure it does not change on subsequent
> connects. If it changes, it will mean that the server has a) a new
> certificate or b) there is a malicious man-in-the-middle.
> The solution to this problem is easy:
> in your repository section, add:
>     cert_fingerprint=f3043dd689a2e7dddfbef82703a6c65ea9b634c1
> given the above error message.

could you make offlineimap at least check the system certificates
by default? That should cover probably most cases and not inflict
pain on users and distributors dealing with the fallout. Those
few who host their mail on a server without a certificate trusted
by the system probably know how to deal with the situation.
Guido Berhoerster

More information about the OfflineIMAP-project mailing list