offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?

Johannes Kastl mail at
Wed Jan 30 19:56:39 GMT 2013

Hash: SHA1

Hi everyone,

as a friend of mine lost some mails, I wanted to get offlineimap
working again (after a long long time, see
from 2011).

Im still getting the SSL3_GET_SERVER_CERTIFICATE error, so I tried
patching the
Which did change nothing.

I also have not found a solution to this issue, is there one I have

I then found out about the cert_fingerprint setting. Which could be a
solition, but I have some questions, especially as I am no SSL-expert:

1. How to generate the fingerprint?
> openssl x509 -fingerprint -noout -in file.pem
where file.pem is generated with
> openssl s_client -connect -CApath
> /System/Library/OpenSSL/ -showcerts | perl -ne 'print if
> /BEGIN/../END/; print STDERR if /return/' > file.pem

How to check if the fingerprint generated is really the right one?

3. Connecting to the host via "openssl s_client -connect ..." shows a
"Verify return code: 0 (ok)" which should mean the ssl-server uses the
right certificate (when using file.pem)?

4. Is using the cert_fingerprint enough to ensure that there is A) a
connection via SSL and B) there is no man-in-the-middle?

Sorry if these are stupid questions, but these are pretty important to me.

Thanks in advance.


P.S. Im on OSX 10.8 with the latest files from "git pull".
- -- 
`because it's taking about five hours for the public to get to their
gold at the moment, the goblins have thightened security so much. Two
days ago Arkie Philpott hat a Probity Probe stuck up his ... well,
trust me, this way's easier.οΎ΄ (Bill Weasley in Harry Potter 6)
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with SeaMonkey -


More information about the OfflineIMAP-project mailing list