imap.google.com being spoofed?

Eygene Ryabinkin rea-fbsd at codelabs.ru
Mon Oct 1 09:05:18 BST 2012


Dmitry, good day.

Mon, Oct 01, 2012 at 01:42:11PM +0800, Dima Pasechnik wrote:
>  ERROR: Server SSL fingerprint
> '6d1b5b5ee0180ab493b71d3b94534b5ab937d042' for hostname
> 'imap.gmail.com' does not match configured fingerprint. Please verify
> and set 'cert_fingerprint' accordingly if not set yet.
> 
> I have in my .offlineimaprc
> cert_fingerprint=f3043dd689a2e7dddfbef82703a6c65ea9b634c1

This is the fingerprint of the current imap.gmail.com certificate
that is signed by Equifax:
{{{
$ echo quit | openssl s_client -host 173.194.71.109 -port 993 -showcerts -verify 2 -CAfile equifax.pem | openssl x509 -noout -fingerprint
verify depth is 2
depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = imap.gmail.com
verify return:1
DONE
SHA1 Fingerprint=F3:04:3D:D6:89:A2:E7:DD:DF:BE:F8:27:03:A6:C6:5E:A9:B6:34:C1

$ echo quit | openssl s_client -host 173.194.71.108 -port 993 -showcerts -verify 2 -CAfile equifax.pem | openssl x509 -noout -fingerprint
verify depth is 2
depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = imap.gmail.com
verify return:1
DONE
SHA1 Fingerprint=F3:04:3D:D6:89:A2:E7:DD:DF:BE:F8:27:03:A6:C6:5E:A9:B6:34:C1
}}}

You'd better enable Repository's option 'sslcacertfile' instead of
hardcoding the certificate fingerprint: it changes with the new
certificate (new public key, to be precise), but the trust to the
root CA allows you to verify the whole chain without relying on the
particular value of the server's certificate fingerprint.
-- 
Eygene Ryabinkin                                        ,,,^..^,,,
[ Life's unfair - but root password helps!           | codelabs.ru ]
[ 82FE 06BC D497 C0DE 49EC  4FF0 16AF 9EAE 8152 ECFB | freebsd.org ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20121001/e537b066/attachment-0001.sig>


More information about the OfflineIMAP-project mailing list