offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?

Johannes Kastl mail at ojkastl.de
Sun Feb 3 20:31:00 GMT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Eygene,

thanks for your answer. As my Internet seems to be broken, I'll have
to postpone trying it out for a couple of days.

I'll be back with more info.

Thanks,
Johannes

On 2/1/13 10:16 PM Eygene Ryabinkin wrote:
> Fri, Feb 01, 2013 at 09:34:00PM +0100, Johannes Kastl wrote:
>> OSX 10.8 (same happened on 10.6 and 10.5 IIRC) Endpoint is
>> imap.gmx.net offlineimap is the latest from git. But this
>> happened before (2011), since I upgrade macports to python 2.6 (i
>> think, or 2.7?).
>> 
>> Here it comes (three blocks):
> [...]
> 
> These three blocks contain the certificate chain for imap.gmx.net, 
> but it doesn't contain the root (self-signed) Thawte certificate 
> that you should trust to.  Please, try to download it from 
> https://www.thawte.com/roots/thawte_Premium_Server_CA.pem place it
> to that file alone and try again.
> 
>> The sslcacertfile was created with the following command:
>> 
>>> openssl s_client -connect imap.gmx.net:993 -CApath 
>>> /System/Library/OpenSSL/ -showcerts | perl -ne 'print if 
>>> /BEGIN/../END/; print STDERR if /return/' >  filename.cert
> 
> It is not really the command you should be using, since it outputs 
> the whole certification chain and may not include the root of
> trust (as in your case).  Strictly speaking, you should have only
> the root certificate(s) you want to trust and the rest should be
> handled by the SSL/TLS libraries.
> 
> Probably, you can alternatively try to do 'cat 
> /System/Library/OpenSSL/ > ca_roots.pem' and try to use that file 
> as the 'sslcacertfile'.
> 
>> I just noticed the following output:
>> 
>>> depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte 
>>> Consulting cc, OU = Certification Services Division, CN =
>>> Thawte Premium Server CA, emailAddress =
>>> premium-server at thawte.com verify return:1 depth=2 C = US, O =
>>> "thawte, Inc.", OU = Certification Services Division, OU = "(c)
>>> 2006 thawte, Inc. - For authorized use only", CN = thawte
>>> Primary Root CA verify return:1 depth=1 C = US, O = "Thawte,
>>> Inc.", CN = Thawte SSL CA verify return:1 depth=0 C = DE, ST =
>>> Bayern, L = Muenchen, O = 1&1 Mail & Media GmbH, OU = GMX, CN =
>>> imap.gmx.net verify return:1 Verify return code: 0 (ok)
>> 
>> The last line seems nice, but the three "verify return: 1" strike
>> me as odd.
> 
> It is normal.  "verify return:1" means that OpenSSL was able to
> check the certificate in question and build a fragment of a trust
> chain.
> 


Regards,
Johannes
- -- 
Coming back to where you started is not the same as never leaving.
(Terry Pratchett)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/

iEYEARECAAYFAlEOyQQACgkQzi3gQ/xETbLLBgCfZ1DTT1vT+FWHk6/48+q2iZwY
7rQAni9vAoLbYe2/s9qQcUKphVL1JFzo
=LXy/
-----END PGP SIGNATURE-----





More information about the OfflineIMAP-project mailing list