offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?

Johannes Kastl mail at ojkastl.de
Wed Jan 30 19:56:39 GMT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi everyone,

as a friend of mine lost some mails, I wanted to get offlineimap
working again (after a long long time, see
<http://article.gmane.org/gmane.mail.imap.offlineimap.general/4267/>
from 2011).

Im still getting the SSL3_GET_SERVER_CERTIFICATE error, so I tried
patching the imaplib2.py
(<http://permalink.gmane.org/gmane.mail.imap.offlineimap.general/6078>).
Which did change nothing.

I also have not found a solution to this issue, is there one I have
missed?

I then found out about the cert_fingerprint setting. Which could be a
solition, but I have some questions, especially as I am no SSL-expert:

1. How to generate the fingerprint?
> openssl x509 -fingerprint -noout -in file.pem
where file.pem is generated with
> openssl s_client -connect imap.gmx.net:993 -CApath
> /System/Library/OpenSSL/ -showcerts | perl -ne 'print if
> /BEGIN/../END/; print STDERR if /return/' > file.pem

2.
How to check if the fingerprint generated is really the right one?

3. Connecting to the host via "openssl s_client -connect ..." shows a
"Verify return code: 0 (ok)" which should mean the ssl-server uses the
right certificate (when using file.pem)?

4. Is using the cert_fingerprint enough to ensure that there is A) a
connection via SSL and B) there is no man-in-the-middle?

Sorry if these are stupid questions, but these are pretty important to me.

Thanks in advance.

Regards,
Johannes

P.S. Im on OSX 10.8 with the latest files from "git pull".
- -- 
`because it's taking about five hours for the public to get to their
gold at the moment, the goblins have thightened security so much. Two
days ago Arkie Philpott hat a Probity Probe stuck up his ... well,
trust me, this way's easier.οΎ΄ (Bill Weasley in Harry Potter 6)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/

iEYEARECAAYFAlEJevcACgkQzi3gQ/xETbJehwCdHs2lRL85dPwALiOYmHgevb93
pOMAoIYfYiyempLlXnQHInIOwJoTdoBI
=6/4n
-----END PGP SIGNATURE-----

More information about the OfflineIMAP-project mailing list