offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?
Johannes Kastl
mail at ojkastl.de
Sun Feb 3 20:31:00 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Eygene,
thanks for your answer. As my Internet seems to be broken, I'll have
to postpone trying it out for a couple of days.
I'll be back with more info.
Thanks,
Johannes
On 2/1/13 10:16 PM Eygene Ryabinkin wrote:
> Fri, Feb 01, 2013 at 09:34:00PM +0100, Johannes Kastl wrote:
>> OSX 10.8 (same happened on 10.6 and 10.5 IIRC) Endpoint is
>> imap.gmx.net offlineimap is the latest from git. But this
>> happened before (2011), since I upgrade macports to python 2.6 (i
>> think, or 2.7?).
>>
>> Here it comes (three blocks):
> [...]
>
> These three blocks contain the certificate chain for imap.gmx.net,
> but it doesn't contain the root (self-signed) Thawte certificate
> that you should trust to. Please, try to download it from
> https://www.thawte.com/roots/thawte_Premium_Server_CA.pem place it
> to that file alone and try again.
>
>> The sslcacertfile was created with the following command:
>>
>>> openssl s_client -connect imap.gmx.net:993 -CApath
>>> /System/Library/OpenSSL/ -showcerts | perl -ne 'print if
>>> /BEGIN/../END/; print STDERR if /return/' > filename.cert
>
> It is not really the command you should be using, since it outputs
> the whole certification chain and may not include the root of
> trust (as in your case). Strictly speaking, you should have only
> the root certificate(s) you want to trust and the rest should be
> handled by the SSL/TLS libraries.
>
> Probably, you can alternatively try to do 'cat
> /System/Library/OpenSSL/ > ca_roots.pem' and try to use that file
> as the 'sslcacertfile'.
>
>> I just noticed the following output:
>>
>>> depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte
>>> Consulting cc, OU = Certification Services Division, CN =
>>> Thawte Premium Server CA, emailAddress =
>>> premium-server at thawte.com verify return:1 depth=2 C = US, O =
>>> "thawte, Inc.", OU = Certification Services Division, OU = "(c)
>>> 2006 thawte, Inc. - For authorized use only", CN = thawte
>>> Primary Root CA verify return:1 depth=1 C = US, O = "Thawte,
>>> Inc.", CN = Thawte SSL CA verify return:1 depth=0 C = DE, ST =
>>> Bayern, L = Muenchen, O = 1&1 Mail & Media GmbH, OU = GMX, CN =
>>> imap.gmx.net verify return:1 Verify return code: 0 (ok)
>>
>> The last line seems nice, but the three "verify return: 1" strike
>> me as odd.
>
> It is normal. "verify return:1" means that OpenSSL was able to
> check the certificate in question and build a fragment of a trust
> chain.
>
Regards,
Johannes
- --
Coming back to where you started is not the same as never leaving.
(Terry Pratchett)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/
iEYEARECAAYFAlEOyQQACgkQzi3gQ/xETbLLBgCfZ1DTT1vT+FWHk6/48+q2iZwY
7rQAni9vAoLbYe2/s9qQcUKphVL1JFzo
=LXy/
-----END PGP SIGNATURE-----
More information about the OfflineIMAP-project
mailing list