OSX sslcacertfile and GMail (Basic help)

Lucien Pullen drurowin at gmail.com
Mon May 18 20:17:19 BST 2015


Also sprach Rainer M Krug on 2015-05-18:
> "M. Henry Linder" <mhlinder at gmail.com> writes:
>
>> Lucien
>>
>> Thanks for the response. OpenSSL wasn’t doing The Right Thing, and a
>> variety of other fixes weren’t working either—various certs downloaded
>> offline, etc.
>>
>> What ended up working was just dumping all the Keychain System Roots
>> certs to a PEM file
>> (http://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x
>> <http://stackoverflow.com/questions/24675167/ca-certificates-mac-os-x>),
>> which feels a bit hacky but at least works
>
> I did exactly the same, and I agree it feels hacky.
>
> I have no idea about python, but wouldn't it be possible that
> offlineimap could directly read the certificate from the keychain if
> told to do so? This would be very helpful (and presumably safer -
> consider updates of the certificates!)

I'm looking into the relevant bits in the source and learning more about
security(1).  I'm gonna try to put together a working code fragment that
lets me connect using just "GeoTrust Global CA", which is the CA Google
uses[1] and the closest thing that Macintosh ships with.  Next up I may
make it more general to support giving offlineimap the name of the CA
instead of hard-coding the thing to make Google work.

^1 <https://pki.google.com/>




More information about the OfflineIMAP-project mailing list