[gentoo-user] Import SSL Certificate Authority

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-user] Import SSL Certificate Authority
@ 2006-03-02 17:19 Willie Wong
  2006-03-02 18:15 ` [gentoo-user] Import SSL Certificate Authority [SOLVED] Willie Wong
  0 siblings, 1 reply; 2+ messages in thread
From: Willie Wong @ 2006-03-02 17:19 UTC (permalink / raw
  To: gentoo-user

Hi all, 

  I use fetchmail to retrieve mail from my university's IMAP server
with SSL enabled. After an upgrade to the latest stable version,
whenever I run fetchmail, I get the following output:

[12:12 PM]wwong ~ $ fetchmail
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate

But since I didn't request fetcmail to strictly match certificates,
the mail still downloads fine. Now, the server certificate from the
university mail server is signed by the university's computing staff,
and I know that if I use webmail or other resources, I can download
the certificate and, when a dialog pops up asking if I want to trust
the CA, I can set it so that firefox won't ask anymore in the future. 

My question is, how do I import a certificate authority so that
fetchmail would recognize it? From the man page it says

       --sslcertck
              (Keyword: sslcertck) Causes  fetchmail  to  strictly  check  the
              server  certificate  against a set of local trusted certificates
              (see the sslcertpath option). If the server certificate  is  not
              signed  by one of the trusted ones (directly or indirectly), the
              SSL connection will fail. This checking should  prevent  man-in-
              the-middle  attacks  against  the SSL connection. Note that CRLs
              are seemingly not currently supported by OpenSSL in  certificate
              verification!  Your  system  clock should be reasonably accurate
              when using this option!

       --sslcertpath <directory>
              (Keyword: sslcertpath) Sets the directory fetchmail uses to look
              up  local certificates. The default is your OpenSSL default one.
              The directory must be hashed as OpenSSL expects it - every  time
              you  add  or  modify a certificate in the directory, you need to
              use the c_rehash tool (which comes with OpenSSL  in  the  tools/
              subdirectory).

so I guess my question is how to import a certificate into OpenSSL?

Thanks, 

Willie
-- 
Bakers trade bread recipes on a knead to know basis.
Sortir en Pantoufles: up 110 days,  9:37
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [gentoo-user] Import SSL Certificate Authority [SOLVED]
  2006-03-02 17:19 [gentoo-user] Import SSL Certificate Authority Willie Wong
@ 2006-03-02 18:15 ` Willie Wong
  0 siblings, 0 replies; 2+ messages in thread
From: Willie Wong @ 2006-03-02 18:15 UTC (permalink / raw
  To: gentoo-user

On Thu, Mar 02, 2006 at 12:19:58PM -0500, Penguin Lover Willie Wong squawked:
> [12:12 PM]wwong ~ $ fetchmail
> fetchmail: Server certificate verification error: unable to get local issuer certificate
> fetchmail: Server certificate verification error: certificate not trusted
> fetchmail: Server certificate verification error: unable to verify the first certificate
> 
>        --sslcertpath <directory>
>               (Keyword: sslcertpath) Sets the directory fetchmail uses to look
>               up  local certificates. The default is your OpenSSL default one.
>               The directory must be hashed as OpenSSL expects it - every  time
>               you  add  or  modify a certificate in the directory, you need to
>               use the c_rehash tool (which comes with OpenSSL  in  the  tools/
>               subdirectory).
> 
> so I guess my question is how to import a certificate into OpenSSL?
> 

Nevermind, solved. 

First, download the certificate [say, "university.crt"]
Second, [the step I was missing, from 'man x509'], 
  openssl x509 -in university.crt -addtrust emailProtection -out uni.pem
Third, put the file uni.pem into a directory, say ~/.my_trusted_certs
Fourth, run 
  c_rehash ~/.my_trusted_certs
Fifth, edit the .fetchmailrc to append 'sslcertpath "$HOME/.my_trusted_certs"'
to the university's line. 

Now it works without the error. 

W
-- 
"All of this is on the web, so other people know it too."
~DeathMech, S. Sondhi. P-town PHY 205
Sortir en Pantoufles: up 110 days, 10:35
-- 
gentoo-user@gentoo.org mailing list



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2006-03-02 18:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-02 17:19 [gentoo-user] Import SSL Certificate Authority Willie Wong
2006-03-02 18:15 ` [gentoo-user] Import SSL Certificate Authority [SOLVED] Willie Wong

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox