offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?
X Ryl
boite.pour.spam at gmail.com
Thu Jan 31 11:46:48 GMT 2013
If you run offlineimap with no UI, then it'll print your server fingerprint
to stdout.
If you're paranoid, run it from a different IP to check if you still get
the same fingerprint.
Then copy and paste the fingerprint inside your .rc file, so you tell OI
that you allow it to accept this server.
To avoid MITM, there is no complete solution, but basically, if you connect
from numerous (unrelated) place to the same server and still get the same
fingerprint, then you're almost sure you're contacting the right server
(unless the MITM is just before the server, but then you can't do anything).
If you're using SSH, you already know that, it's the same security as with
the known_host file.
Regards,
Cyril
On Wed, Jan 30, 2013 at 8:56 PM, Johannes Kastl <mail at ojkastl.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi everyone,
>
> as a friend of mine lost some mails, I wanted to get offlineimap
> working again (after a long long time, see
> <http://article.gmane.org/gmane.mail.imap.offlineimap.general/4267/>
> from 2011).
>
> Im still getting the SSL3_GET_SERVER_CERTIFICATE error, so I tried
> patching the imaplib2.py
> (<http://permalink.gmane.org/gmane.mail.imap.offlineimap.general/6078>).
> Which did change nothing.
>
> I also have not found a solution to this issue, is there one I have
> missed?
>
> I then found out about the cert_fingerprint setting. Which could be a
> solition, but I have some questions, especially as I am no SSL-expert:
>
> 1. How to generate the fingerprint?
> > openssl x509 -fingerprint -noout -in file.pem
> where file.pem is generated with
> > openssl s_client -connect imap.gmx.net:993 -CApath
> > /System/Library/OpenSSL/ -showcerts | perl -ne 'print if
> > /BEGIN/../END/; print STDERR if /return/' > file.pem
>
> 2.
> How to check if the fingerprint generated is really the right one?
>
> 3. Connecting to the host via "openssl s_client -connect ..." shows a
> "Verify return code: 0 (ok)" which should mean the ssl-server uses the
> right certificate (when using file.pem)?
>
> 4. Is using the cert_fingerprint enough to ensure that there is A) a
> connection via SSL and B) there is no man-in-the-middle?
>
> Sorry if these are stupid questions, but these are pretty important to me.
>
> Thanks in advance.
>
> Regards,
> Johannes
>
> P.S. Im on OSX 10.8 with the latest files from "git pull".
> - --
> `because it's taking about five hours for the public to get to their
> gold at the moment, the goblins have thightened security so much. Two
> days ago Arkie Philpott hat a Probity Probe stuck up his ... well,
> trust me, this way's easier.οΎ΄ (Bill Weasley in Harry Potter 6)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (Darwin)
> Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/
>
> iEYEARECAAYFAlEJevcACgkQzi3gQ/xETbJehwCdHs2lRL85dPwALiOYmHgevb93
> pOMAoIYfYiyempLlXnQHInIOwJoTdoBI
> =6/4n
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> OfflineIMAP-project mailing list
> OfflineIMAP-project at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project
>
> OfflineIMAP homepage: http://software.complete.org/offlineimap
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20130131/69322ab8/attachment-0003.html>
More information about the OfflineIMAP-project
mailing list