1 |
Hi all, |
2 |
|
3 |
I use fetchmail to retrieve mail from my university's IMAP server |
4 |
with SSL enabled. After an upgrade to the latest stable version, |
5 |
whenever I run fetchmail, I get the following output: |
6 |
|
7 |
[12:12 PM]wwong ~ $ fetchmail |
8 |
fetchmail: Server certificate verification error: unable to get local issuer certificate |
9 |
fetchmail: Server certificate verification error: certificate not trusted |
10 |
fetchmail: Server certificate verification error: unable to verify the first certificate |
11 |
|
12 |
But since I didn't request fetcmail to strictly match certificates, |
13 |
the mail still downloads fine. Now, the server certificate from the |
14 |
university mail server is signed by the university's computing staff, |
15 |
and I know that if I use webmail or other resources, I can download |
16 |
the certificate and, when a dialog pops up asking if I want to trust |
17 |
the CA, I can set it so that firefox won't ask anymore in the future. |
18 |
|
19 |
My question is, how do I import a certificate authority so that |
20 |
fetchmail would recognize it? From the man page it says |
21 |
|
22 |
--sslcertck |
23 |
(Keyword: sslcertck) Causes fetchmail to strictly check the |
24 |
server certificate against a set of local trusted certificates |
25 |
(see the sslcertpath option). If the server certificate is not |
26 |
signed by one of the trusted ones (directly or indirectly), the |
27 |
SSL connection will fail. This checking should prevent man-in- |
28 |
the-middle attacks against the SSL connection. Note that CRLs |
29 |
are seemingly not currently supported by OpenSSL in certificate |
30 |
verification! Your system clock should be reasonably accurate |
31 |
when using this option! |
32 |
|
33 |
--sslcertpath <directory> |
34 |
(Keyword: sslcertpath) Sets the directory fetchmail uses to look |
35 |
up local certificates. The default is your OpenSSL default one. |
36 |
The directory must be hashed as OpenSSL expects it - every time |
37 |
you add or modify a certificate in the directory, you need to |
38 |
use the c_rehash tool (which comes with OpenSSL in the tools/ |
39 |
subdirectory). |
40 |
|
41 |
so I guess my question is how to import a certificate into OpenSSL? |
42 |
|
43 |
Thanks, |
44 |
|
45 |
Willie |
46 |
-- |
47 |
Bakers trade bread recipes on a knead to know basis. |
48 |
Sortir en Pantoufles: up 110 days, 9:37 |
49 |
-- |
50 |
gentoo-user@g.o mailing list |