[gentoo-user] Import SSL Certificate Authority - gentoo-user

From:	Willie Wong <wwong@×××××××××.EDU>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] Import SSL Certificate Authority
Date:	Thu, 02 Mar 2006 17:29:48
Message-Id:	`20060302171958.GA11457@princeton.edu`

1

Hi all, 

2

3

  I use fetchmail to retrieve mail from my university's IMAP server

4

with SSL enabled. After an upgrade to the latest stable version,

5

whenever I run fetchmail, I get the following output:

6

7

[12:12 PM]wwong ~ $ fetchmail

8

fetchmail: Server certificate verification error: unable to get local issuer certificate

9

fetchmail: Server certificate verification error: certificate not trusted

10

fetchmail: Server certificate verification error: unable to verify the first certificate

11

12

But since I didn't request fetcmail to strictly match certificates,

13

the mail still downloads fine. Now, the server certificate from the

14

university mail server is signed by the university's computing staff,

15

and I know that if I use webmail or other resources, I can download

16

the certificate and, when a dialog pops up asking if I want to trust

17

the CA, I can set it so that firefox won't ask anymore in the future. 

18

19

My question is, how do I import a certificate authority so that

20

fetchmail would recognize it? From the man page it says

21

22

       --sslcertck

23

              (Keyword: sslcertck) Causes  fetchmail  to  strictly  check  the

24

              server  certificate  against a set of local trusted certificates

25

              (see the sslcertpath option). If the server certificate  is  not

26

              signed  by one of the trusted ones (directly or indirectly), the

27

              SSL connection will fail. This checking should  prevent  man-in-

28

              the-middle  attacks  against  the SSL connection. Note that CRLs

29

              are seemingly not currently supported by OpenSSL in  certificate

30

              verification!  Your  system  clock should be reasonably accurate

31

              when using this option!

32

33

       --sslcertpath <directory>

34

              (Keyword: sslcertpath) Sets the directory fetchmail uses to look

35

              up  local certificates. The default is your OpenSSL default one.

36

              The directory must be hashed as OpenSSL expects it - every  time

37

              you  add  or  modify a certificate in the directory, you need to

38

              use the c_rehash tool (which comes with OpenSSL  in  the  tools/

39

              subdirectory).

40

41

so I guess my question is how to import a certificate into OpenSSL?

42

43

Thanks, 

44

45

Willie

46

--

47

Bakers trade bread recipes on a knead to know basis.

48

Sortir en Pantoufles: up 110 days,  9:37

49

--

50

gentoo-user@g.o mailing list

Gentoo Archives: gentoo-user

Replies

1	Hi all,
2
3	I use fetchmail to retrieve mail from my university's IMAP server
4	with SSL enabled. After an upgrade to the latest stable version,
5	whenever I run fetchmail, I get the following output:
6
7	[12:12 PM]wwong ~ $ fetchmail
8	fetchmail: Server certificate verification error: unable to get local issuer certificate
9	fetchmail: Server certificate verification error: certificate not trusted
10	fetchmail: Server certificate verification error: unable to verify the first certificate
11
12	But since I didn't request fetcmail to strictly match certificates,
13	the mail still downloads fine. Now, the server certificate from the
14	university mail server is signed by the university's computing staff,
15	and I know that if I use webmail or other resources, I can download
16	the certificate and, when a dialog pops up asking if I want to trust
17	the CA, I can set it so that firefox won't ask anymore in the future.
18
19	My question is, how do I import a certificate authority so that
20	fetchmail would recognize it? From the man page it says
21
22	--sslcertck
23	(Keyword: sslcertck) Causes fetchmail to strictly check the
24	server certificate against a set of local trusted certificates
25	(see the sslcertpath option). If the server certificate is not
26	signed by one of the trusted ones (directly or indirectly), the
27	SSL connection will fail. This checking should prevent man-in-
28	the-middle attacks against the SSL connection. Note that CRLs
29	are seemingly not currently supported by OpenSSL in certificate
30	verification! Your system clock should be reasonably accurate
31	when using this option!
32
33	--sslcertpath <directory>
34	(Keyword: sslcertpath) Sets the directory fetchmail uses to look
35	up local certificates. The default is your OpenSSL default one.
36	The directory must be hashed as OpenSSL expects it - every time
37	you add or modify a certificate in the directory, you need to
38	use the c_rehash tool (which comes with OpenSSL in the tools/
39	subdirectory).
40
41	so I guess my question is how to import a certificate into OpenSSL?
42
43	Thanks,
44
45	Willie
46	--
47	Bakers trade bread recipes on a knead to know basis.
48	Sortir en Pantoufles: up 110 days, 9:37
49	--
50	gentoo-user@g.o mailing list