offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?
mail at ojkastl.de
Thu Jan 31 21:24:48 GMT 2013
-----BEGIN PGP SIGNED MESSAGE-----
On 1/31/13 12:46 PM X Ryl wrote:
> If you run offlineimap with no UI, then it'll print your server
> fingerprint to stdout.
> If you're paranoid, run it from a different IP to check if you
> still get the same fingerprint. Then copy and paste the fingerprint
> inside your .rc file, so you tell OI that you allow it to accept
> this server.
I got it to work, but its still somehow cheesy.
Is the fingerprint somehow included in the server certificate? Or is
it listed on the issuers database somewhere?
> To avoid MITM, there is no complete solution, but basically, if you
> connect from numerous (unrelated) place to the same server and
> still get the same fingerprint, then you're almost sure you're
> contacting the right server (unless the MITM is just before the
> server, but then you can't do anything)..
> If you're using SSH, you already know that, it's the same security
> as with the known_host file.
I was hoping you would say something different, but I guessed it would
work like ssh with known_host.
Good enough for now, I guess.
Thanks for your reply.
Still, the SSL3_GET_SERVER_CERTIFICATE error is not yet fixed?
Why is it that New Jersey got all the toxic waste dumps and California
got all the lawyers?
New Jersey had first choice.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the OfflineIMAP-project