OSX sslcacertfile and GMail (Basic help)

Rainer M Krug Rainer at krugs.de
Tue May 19 08:45:55 BST 2015 

Lucien Pullen <drurowin at gmail.com> writes:

> Also sprach Rainer M Krug on 2015-05-19:
>> I don't have much knowledge of all these security issues, but as far as
>> I know, the certificates are already in the keychain? Or are they there,
>> because they have been downloaded by Safari browser before?
>
> I don't use Safari, but on both computers I have access to Google's
> intermediate CA is not present in the keychain... at least not the two
> in /System/Library/Keychains/ (these correspond to the "System Roots" in
> Keychain Access).  On both computers, my login keychain also doesn't
> contain the CA.  I'm not sure about the other person's account (who does
> use Safari).

The directory looks on my computer as follow:

,----
| 09:39:52 ~$ ll /System/Library/Keychains/
| total 1352
| drwxr-xr-x   8 root  wheel   272B Apr  9 16:26 .
| drwxr-xr-x  79 root  wheel   2.6K Mar 28 12:20 ..
| -r--r--r--   1 root  wheel     0B Sep  2  2013 .fl50FB2F69
| -rw-r--r--   1 root  wheel   6.6K Mar 24 04:50 EVRoots.plist
| -rw-r--r--   1 root  wheel   192K Mar 24 04:50 SystemCACertificates.keychain
| -rw-r--r--   1 root  wheel   464K Apr  9 16:26 SystemRootCertificates.keychain
| -rw-r--r--   1 root  wheel   103K Mar 24 04:50 SystemTrustSettings.plist
| -rw-r--r--   1 root  wheel   276K Sep 10  2014 X509Anchors
| 09:39:56 ~$
`----


>
> Having to use Safari in order for the certificate to be present in the
> keychain is not quite ideal, thus my question of having offlineimap take
> care of fetching the dependent CA.

I don't know - if to let offlineimap fetch the certificates would result
i duplication of the certificates in the keychain, it would not be a
disadvantage and to let the user fetch the certificate would be the
better solution (as Safari is installed, it would be a minor
inconvenience - if one has to use Mail, it would be a problem). But if
offlineimap would add a missing certificate in such a way that It will
be used by other applications as well in the "OSX way of doing things",
that would be perfect.

Cheers,

Rainer

>
> (From what I could tell, Certificate Assistant also could not
> automatically resolve the missing certificate, so I believe that Safari
> is installing it because it needs it, not because the security subsystem
> is taking care of things.)

-- 
Rainer M. Krug, PhD (Conservation Ecology, SUN), MSc (Conservation Biology, UCT), Dipl. Phys. (Germany)

Centre of Excellence for Invasion Biology
Stellenbosch University
South Africa

Tel :       +33 - (0)9 53 10 27 44
Cell:       +33 - (0)6 85 62 59 98
Fax :       +33 - (0)9 58 10 27 44

Fax (D):    +49 - (0)3 21 21 25 22 44

email:      Rainer at krugs.de

Skype:      RMkrug

PGP: 0x0F52F982
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 494 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20150519/3dadc862/attachment-0003.sig>

More information about the OfflineIMAP-project mailing list