offlineimap, OSX, SSL3_GET_SERVER_CERTIFICATE and the cert_fingerprint?

Johannes Kastl mail at ojkastl.de
Thu Jan 31 21:24:48 GMT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/31/13 12:46 PM X Ryl wrote:
> If you run offlineimap with no UI, then it'll print your server
> fingerprint to stdout.

OK.

> If you're paranoid, run it from a different IP to check if you
> still get the same fingerprint. Then copy and paste the fingerprint
> inside your .rc file, so you tell OI that you allow it to accept
> this server.

I got it to work, but its still somehow cheesy.

Is the fingerprint somehow included in the server certificate? Or is
it listed on the issuers database somewhere?

> To avoid MITM, there is no complete solution, but basically, if you
> connect from numerous (unrelated) place to the same server and
> still get the same fingerprint, then you're almost sure you're
> contacting the right server (unless the MITM is just before the
> server, but then you can't do anything)..
> 
> If you're using SSH, you already know that, it's the same security
> as with the known_host file.

I was hoping you would say something different, but I guessed it would
work like ssh with known_host.

Good enough for now, I guess.

Thanks for your reply.

Still, the SSL3_GET_SERVER_CERTIFICATE error is not yet fixed?

Regards,
Johannes
- -- 
Why is it that New Jersey got all the toxic waste dumps and California
got all the lawyers?
New Jersey had first choice.
(unknown)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/

iEYEARECAAYFAlEK4SAACgkQzi3gQ/xETbIWVQCeO4tWixiBwDspC5SudilBuJ55
DJIAn3Zwy9yQBLTVTHa+5E8ZUikdjM8a
=m/V8
-----END PGP SIGNATURE-----





More information about the OfflineIMAP-project mailing list