Specifying Multiple SSL Fingerprints

Tomasz Żok tomasz.zok at gmail.com
Sat Nov 15 09:31:35 GMT 2014


Hi,

from practical point of view of the IMAP administrator, even if both nodes have
diffferent certificates, they will most likely be signed by the same CA.
A single company will use a single chain of certificates, at least that's what
seems reasonable to me.

If you trust the CA certificate, then you trust every certificate it issues.
Therefore, with one configuration, you will trust both IMAP nodes at the same
time.

You need to find out what CA issued certs for both IMAP nodes and verify that
my assumption about a single CA for both is true. If yes, then you need to get
this certificate and configure OfflineIMAP to use it

You can use the following command to find the certificate chain:
    $ openssl s_client -connect imap.gmail.com:imaps
    [...]
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
       i:/C=US/O=Google Inc/CN=Google Internet Authority G2
     1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
       i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
     2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
       i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
    [...]

For an IMAP client to work, you need to trust ANY of these certificates! So
once again on this example - in my opinion, a likely scenario is that in your
case the subject of certificate 0 is different for two IMAP nodes, but the
chain of issuers is the same. If you configure OfflineIMAP to trust any of the
issuers, then you are fine with two IMAP nodes.

All the best,
Tomasz


On 2014-11-14 at 12:55, Zweimueller Wolfgang wrote:
> 
> Hello,
> 
> I have the same problem here with our MS Exchange Cluster. Every now
> and then the IMAP services switches from one server to the other. The
> Exchange admin can not solve the problem by installing the same cert
> on both nodes because the certs are bound to the hosts and not the
> service.
> 
> A solution would be nice but not a life saver ;-)
> 
> 
> Cheers,
> Wolfgang
> 
> 
> Sebastian Spaeth <Sebastian at SSpaeth.de> writes:
> 
> > To be honest, I don't see this coming. The configuration is complex
> > enough as it is. And given that python 2 is still extremly bad at
> > verifying everything SSL, I don't believe this would be worthwile
> > (although I can certainly feel your pain).
> >
> > Sebastian
> >
> > On 24.10.2014 13:13, Greg Headley wrote:
> >> All,
> >>  
> >> I am using OfflineIMAP through Mutt for both my work and personal
> >> email.  On the work side, I have a frustrating issue where my SSL
> >> fingerprint alternates between two different strings.  This does not
> >> happen at any kind of regular interval, but it does happen often.
> >>  
> >> In the deeps of some forum, I did find mention of a hotfix to allow
> >> specificiation of multiple fingerprints, but I cannot seem to get the
> >> syntax correct.  Can anyone advise?  At present I have been having to
> >> manually edit my dotfile every time the fingerprint switches. 
> >> Specifying both would be great.
> >>  
> >> Thanks for any help.
> >>  
> >> Cheers,
> >> Greg
> >> 
> >> 
> >> _______________________________________________
> >> OfflineIMAP-project mailing list
> >> OfflineIMAP-project at lists.alioth.debian.org
> >> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project
> >> 
> >> OfflineIMAP homepage: http://software.complete.org/offlineimap
> >> 
> > _______________________________________________
> > OfflineIMAP-project mailing list
> > OfflineIMAP-project at lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project
> >
> > OfflineIMAP homepage: http://software.complete.org/offlineimap
> 
> 
> _______________________________________________
> OfflineIMAP-project mailing list
> OfflineIMAP-project at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project
> 
> OfflineIMAP homepage: http://software.complete.org/offlineimap




More information about the OfflineIMAP-project mailing list