offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?
mail at ojkastl.de
Wed Jan 30 19:56:39 GMT 2013
-----BEGIN PGP SIGNED MESSAGE-----
as a friend of mine lost some mails, I wanted to get offlineimap
working again (after a long long time, see
Im still getting the SSL3_GET_SERVER_CERTIFICATE error, so I tried
patching the imaplib2.py
Which did change nothing.
I also have not found a solution to this issue, is there one I have
I then found out about the cert_fingerprint setting. Which could be a
solition, but I have some questions, especially as I am no SSL-expert:
1. How to generate the fingerprint?
> openssl x509 -fingerprint -noout -in file.pem
where file.pem is generated with
> openssl s_client -connect imap.gmx.net:993 -CApath
> /System/Library/OpenSSL/ -showcerts | perl -ne 'print if
> /BEGIN/../END/; print STDERR if /return/' > file.pem
How to check if the fingerprint generated is really the right one?
3. Connecting to the host via "openssl s_client -connect ..." shows a
"Verify return code: 0 (ok)" which should mean the ssl-server uses the
right certificate (when using file.pem)?
4. Is using the cert_fingerprint enough to ensure that there is A) a
connection via SSL and B) there is no man-in-the-middle?
Sorry if these are stupid questions, but these are pretty important to me.
Thanks in advance.
P.S. Im on OSX 10.8 with the latest files from "git pull".
`because it's taking about five hours for the public to get to their
gold at the moment, the goblins have thightened security so much. Two
days ago Arkie Philpott hat a Probity Probe stuck up his ... well,
trust me, this way's easier.ﾴ (Bill Weasley in Harry Potter 6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the OfflineIMAP-project