offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?
Johannes Kastl
mail at ojkastl.de
Fri Feb 1 20:34:00 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2/1/13 9:23 PM Eygene Ryabinkin wrote:
> You're using sslcacertfile, aren't you? If so, can we get its
> contents (should be only certificates, so it is OK to share, make
> sure that you have no private keys there) and the endpoint you're
> trying to connect with OIMAP to? OS and OI versions will be
> helpful too.
Sure.
OSX 10.8 (same happened on 10.6 and 10.5 IIRC)
Endpoint is imap.gmx.net
offlineimap is the latest from git. But this happened before (2011),
since I upgrade macports to python 2.6 (i think, or 2.7?).
Here it comes (three blocks):
- -----BEGIN CERTIFICATE-----
MIID3TCCAsWgAwIBAgIQbdFfo1jT9k90NjIlvEnfDTANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTExMTAwNDAwMDAwMFoXDTEzMTAwMzIzNTk1OVowdjEL
MAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjERMA8GA1UEBxQITXVlbmNoZW4x
HjAcBgNVBAoUFTEmMSBNYWlsICYgTWVkaWEgR21iSDEMMAoGA1UECxQDR01YMRUw
EwYDVQQDFAxpbWFwLmdteC5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC+ueE2NACGS+EtW6FWGkcC/uUsnjevbzuGWvwuD9dzNczn4zGWSoPCqu4P
7XXkleC6vPBuN62K7rit3A2NJtzeDNRfVQVj2E524CIeZ25SfCcBKCTFphhvzbxy
YgwWidrqVfAKHKQBhwpslbajJs/4n4Qb6rP4UntLHg+aOWzRK3QAwS6ZQ147y0Zk
LTNOQSoT7ZHdYGJxib5Lw03rsMQZXgJqVcgL8TV5wJjdBsj2cTwfxmHsns8xUrPu
z4CFGx1dy2JeyFNJP9PY4cMwEBIAOyLenzPrBwi0KYT5xa6VB0uNge+kT3sVdjD0
0PjMUmTa5kF7D6VzufBTB/cD7hEJAgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADA6
BgNVHR8EMzAxMC+gLaArhilodHRwOi8vc3ZyLW92LWNybC50aGF3dGUuY29tL1Ro
YXd0ZU9WLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYB
BQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0G
CSqGSIb3DQEBBQUAA4IBAQAEZl9bf0KV5OxbaciZ+l15UHmBF5sRYDiHrffHCdRk
c91d2adwqNmq+hb/iHii8PpKTsb/P3rCo5PJowNgrG1Av3fedJNRa+oILQHkvWfp
YIDg0lmPpAbyJIiE2WAVifFiNBn4ZSPWdHF1fV9YxKf4Li9dqTUldw3uzvEAxtAt
SMJvDgm0xPega4hOnL2mNaomu1sSZCkjCH+bsEynip5S+EDB4oeJ3uUP5hH/9QG5
ntIBBMYmLzwvRZ8dCQuZln71PuaGDUtRjTE9r5yC7A7IXcRuqIwUs2ADYT0RAqNK
Kd+cczTnUAxKzXmRJtfXSVKtW6wIG6r2gTyBPtY9LAOj
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
MIIEbDCCA1SgAwIBAgIQTV8sNAiyTCDNbVB+JE3J7DANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjA4MDAwMDAwWhcNMjAw
MjA3MjM1OTU5WjA8MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu
MRYwFAYDVQQDEw1UaGF3dGUgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAmeSFW3ZJfS8F2MWsyMip09yY5tc0pi8M8iIm2KPJFEyPBaRF6BQM
WJAFGrfFwQalgK+7HUlrUjSIw1nn72vEJ0GMK2Yd0OCjl5gZNEtB1ZjVxwWtouTX
7QytT8G1sCH9PlBTssSQ0NQwZ2ya8Q50xMLciuiX/8mSrgGKVgqYMrAAI+yQGmDD
7bs6yw9jnw1EyVLhJZa/7VCViX9WFLG3YR0cB4w6LPf/gN45RdWvGtF42MdxaqMZ
pzJQIenyDqHGEwNESNFmqFJX1xG0k4vlmZ9d53hR5U32t1m0drUJN00GOBN6HAiY
XMRISstSoKn4sZ2Oe3mwIC88lqgRYke7EQIDAQABo4H7MIH4MDIGCCsGAQUFBwEB
BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTASBgNVHRMB
Af8ECDAGAQH/AgEAMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVQQ0EuY3JsMA4GA1UdDwEB/wQEAwIBBjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItOTAdBgNVHQ4EFgQUp6KDuzRFQD38
1TBPErk+oQGf9tswHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJ
KoZIhvcNAQEFBQADggEBAIAigOBsyJUW11cmh/NyNNvGclYnPtOW9i4lkaU+M5en
S+Uv+yV9Lwdh+m+DdExMU3IgpHrPUVFWgYiwbR82LMgrsYiZwf5Eq0hRfNjyRGQq
2HGn+xov+RmNNLIjv8RMVR2OROiqXZrdn/0Dx7okQ40tR0Tb9tiYyLL52u/tKVxp
EvrRI5YPv5wN8nlFUzeaVi/oVxBw9u6JDEmJmsEj9cIqzEHPIqtlbreUgm0vQF9Y
3uuVK6ZyaFIZkSqudZ1OkubK3lTqGKslPOZkpnkfJn1h7X3S5XFV2JMXfBQ4MDzf
huNMrUnjl1nOG5srztxl1Asoa06ERlFE9zMILViXIa4=
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
MIIERTCCA66gAwIBAgIQM2VQCHmtc+IwueAdDX+skTANBgkqhkiG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA2MTExNzAwMDAwMFoXDTIwMTIzMDIzNTk1OVow
gakxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUsIEluYy4xKDAmBgNVBAsT
H0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xODA2BgNVBAsTLyhjKSAy
MDA2IHRoYXd0ZSwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MR8wHQYD
VQQDExZ0aGF3dGUgUHJpbWFyeSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEArKDw+4BZ1JzHpM+doVlzCRBFDA0sbmjxbFtIaElZN/wLMxnC
d3/MEC2VNBzm600JpxzSuMmXNgK3idQkXwbAzESUlI0CYm/rWt0RjSiaXISQEHoN
vXRmL2o4oOLVVETrHQefB7pv7un9Tgsp9T6EoAHxnKv4HH6JpOih2HFlDaNRe+68
0iJgDblbnd+6/FFbC6+Ysuku6QToYofeK8jXTsFMZB7dz4dYukpPymgHHRydSsbV
L5HMfHFyHMXAZ+sy/cmSXJTahcCbv1N9Kwn0jJ2RH5dqUsveCTakd9h7h1BE1T5u
KWn7OUkmHgmlgHtALevoJ4XJ/mH9fuZ8lx3VnQIDAQABo4HCMIG/MA8GA1UdEwEB
/wQFMAMBAf8wOwYDVR0gBDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHBz
Oi8vd3d3LnRoYXd0ZS5jb20vY3BzMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU
e1tFz6/Oy3r9MZIaarbzRutXSFAwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL2Ny
bC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwDQYJKoZIhvcN
AQEFBQADgYEAhKhMyT4qvJrizI8LsiV3xGGJiWNa1KMVQNT7Xj+0Q+pjFytrmXSe
Cajd1FYVLnp5MV9jllMbNNkV6k9tcMq+9oKp7dqFd8x2HGqBCiHYQZl/Xi6Cweiq
95OBBaqStB+3msAHF/XLxrRMDtdW3HEgdDjWdMbWj2uvi42gbCkLYeA=
- -----END CERTIFICATE-----
The sslcacertfile was created with the following command:
> openssl s_client -connect imap.gmx.net:993 -CApath
> /System/Library/OpenSSL/ -showcerts | perl -ne 'print if
> /BEGIN/../END/; print STDERR if /return/' > filename.cert
I just noticed the following output:
> depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte
> Consulting cc, OU = Certification Services Division, CN = Thawte
> Premium Server CA, emailAddress = premium-server at thawte.com verify
> return:1 depth=2 C = US, O = "thawte, Inc.", OU = Certification
> Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use
> only", CN = thawte Primary Root CA verify return:1 depth=1 C = US,
> O = "Thawte, Inc.", CN = Thawte SSL CA verify return:1 depth=0 C =
> DE, ST = Bayern, L = Muenchen, O = 1&1 Mail & Media GmbH, OU = GMX,
> CN = imap.gmx.net verify return:1 Verify return code: 0 (ok)
The last line seems nice, but the three "verify return: 1" strike me
as odd. If 0 is ok, 1 seems to be a problem, right?
Regards,
Johannes
- --
When you say "I wrote a program that crashed Windows", people just
stare at you blankly and say "Hey, I got those with the system, *for
free*".
(Linus Torvalds)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/
iEYEARECAAYFAlEMJrgACgkQzi3gQ/xETbLZpQCfQVVUEiSe/rtnLD15rifs98fx
XfAAoJWFO/z29OzZXHYdVoOYQ8+vQdyD
=zwHg
-----END PGP SIGNATURE-----
More information about the OfflineIMAP-project
mailing list