offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?
rea at codelabs.ru
Fri Feb 1 21:16:29 GMT 2013
Fri, Feb 01, 2013 at 09:34:00PM +0100, Johannes Kastl wrote:
> OSX 10.8 (same happened on 10.6 and 10.5 IIRC)
> Endpoint is imap.gmx.net
> offlineimap is the latest from git. But this happened before (2011),
> since I upgrade macports to python 2.6 (i think, or 2.7?).
> Here it comes (three blocks):
These three blocks contain the certificate chain for imap.gmx.net,
but it doesn't contain the root (self-signed) Thawte certificate
that you should trust to. Please, try to download it from
place it to that file alone and try again.
> The sslcacertfile was created with the following command:
> > openssl s_client -connect imap.gmx.net:993 -CApath
> > /System/Library/OpenSSL/ -showcerts | perl -ne 'print if
> > /BEGIN/../END/; print STDERR if /return/' > filename.cert
It is not really the command you should be using, since it outputs
the whole certification chain and may not include the root of trust
(as in your case). Strictly speaking, you should have only the root
certificate(s) you want to trust and the rest should be handled by
the SSL/TLS libraries.
Probably, you can alternatively try to do 'cat
/System/Library/OpenSSL/ > ca_roots.pem' and try to use that file
as the 'sslcacertfile'.
> I just noticed the following output:
> > depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte
> > Consulting cc, OU = Certification Services Division, CN = Thawte
> > Premium Server CA, emailAddress = premium-server at thawte.com verify
> > return:1 depth=2 C = US, O = "thawte, Inc.", OU = Certification
> > Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use
> > only", CN = thawte Primary Root CA verify return:1 depth=1 C = US,
> > O = "Thawte, Inc.", CN = Thawte SSL CA verify return:1 depth=0 C =
> > DE, ST = Bayern, L = Muenchen, O = 1&1 Mail & Media GmbH, OU = GMX,
> > CN = imap.gmx.net verify return:1 Verify return code: 0 (ok)
> The last line seems nice, but the three "verify return: 1" strike me
> as odd.
It is normal. "verify return:1" means that OpenSSL was able to check
the certificate in question and build a fragment of a trust chain.
More information about the OfflineIMAP-project