offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?

Johannes Kastl mail at
Sun Feb 3 20:31:00 GMT 2013

Hash: SHA1

Hi Eygene,

thanks for your answer. As my Internet seems to be broken, I'll have
to postpone trying it out for a couple of days.

I'll be back with more info.


On 2/1/13 10:16 PM Eygene Ryabinkin wrote:
> Fri, Feb 01, 2013 at 09:34:00PM +0100, Johannes Kastl wrote:
>> OSX 10.8 (same happened on 10.6 and 10.5 IIRC) Endpoint is
>> offlineimap is the latest from git. But this
>> happened before (2011), since I upgrade macports to python 2.6 (i
>> think, or 2.7?).
>> Here it comes (three blocks):
> [...]
> These three blocks contain the certificate chain for, 
> but it doesn't contain the root (self-signed) Thawte certificate 
> that you should trust to.  Please, try to download it from 
> place it
> to that file alone and try again.
>> The sslcacertfile was created with the following command:
>>> openssl s_client -connect -CApath 
>>> /System/Library/OpenSSL/ -showcerts | perl -ne 'print if 
>>> /BEGIN/../END/; print STDERR if /return/' >  filename.cert
> It is not really the command you should be using, since it outputs 
> the whole certification chain and may not include the root of
> trust (as in your case).  Strictly speaking, you should have only
> the root certificate(s) you want to trust and the rest should be
> handled by the SSL/TLS libraries.
> Probably, you can alternatively try to do 'cat 
> /System/Library/OpenSSL/ > ca_roots.pem' and try to use that file 
> as the 'sslcacertfile'.
>> I just noticed the following output:
>>> depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte 
>>> Consulting cc, OU = Certification Services Division, CN =
>>> Thawte Premium Server CA, emailAddress =
>>> premium-server at verify return:1 depth=2 C = US, O =
>>> "thawte, Inc.", OU = Certification Services Division, OU = "(c)
>>> 2006 thawte, Inc. - For authorized use only", CN = thawte
>>> Primary Root CA verify return:1 depth=1 C = US, O = "Thawte,
>>> Inc.", CN = Thawte SSL CA verify return:1 depth=0 C = DE, ST =
>>> Bayern, L = Muenchen, O = 1&1 Mail & Media GmbH, OU = GMX, CN =
>>> verify return:1 Verify return code: 0 (ok)
>> The last line seems nice, but the three "verify return: 1" strike
>> me as odd.
> It is normal.  "verify return:1" means that OpenSSL was able to
> check the certificate in question and build a fragment of a trust
> chain.

- -- 
Coming back to where you started is not the same as never leaving.
(Terry Pratchett)
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with SeaMonkey -


More information about the OfflineIMAP-project mailing list