OSX sslcacertfile and GMail (Basic help)

Lucien Pullen drurowin at gmail.com
Tue May 19 05:03:01 BST 2015


Also sprach chris coleman on 2015-05-18:
> There should be a standard method to get OpenSSL to download and use
> the current full set of public root CA certs !

I noticed that the certificate you get by connecting to Gmail tells
where to get its CA from.  Got distracted after dinner instead of
writing a routine to do the fetch in an automated fashion.

The only thing I noticed is that GIAG2.crt is (at least until January 1,
2017) DER format, and OpenSSL is too dumb to convert it to PEM format
itself.  Luckily, if you know what input format it is, you can tell
OpenSSL to convert it yourself. {{eyeroll}}

I've got code working to create a PEM file from the keychain that
specializes getsslcacertfile() for Gmail IMAP on Darwin.  Perhaps we
should cache the fetch of GIAG2.crt into the keychain (which also solves
OpenSSL not being able to use DER)?  Not as great as OpenSSL being fixed
to do this itself (The Right Thing), but should work in the meanwhile.




More information about the OfflineIMAP-project mailing list