how to manually add a certificate for sylpheed to verify ssl connections
against.
disclaimer: the following process has been tested against self-signed and
unknown-CA-signed certs, but not hostname-mismatched or expired certs.
to start:
apt-get install openssl
then execute the following from the command line:
openssl s_client -connect ssl.smtp.example.com:25 </dev/null \
| openssl x509 -fingerprint -sha1 -text \
> ~/.sylpheed-2.0/certs/ssl.smtp.example.com:25.pem
if the smtp server is using sasl/starttls (ie commanding encryption after
clear-text protocol handshake), then:
openssl s_client -connect ssl.smtp.example.com:25 -starttls smtp </dev/null
\ | openssl x509 -fingerprint -sha1 -text \
> ~/.sylpheed-2.0/certs/ssl.smtp.example.com:25.pem
(same initial command as before, just with "-starttls smtp" option added.)
when executing the above commands, you should see one or more of the
following lines:
verify error:num=18:self signed certificate
verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:unable to verify the first certificate
those errors mean that openssl was not able to verify the certificate
(either because it was self-signed, in the case of the first error message,
or the certificate was signed by a certificate authority that openssl does
not know about, as in the case of the last three errors). this should be
similar to the error message sylpheed reports.
to test our new certificate:
openssl s_client -connect ssl.smtp.example.com:25 -CAfile \
~/.sylpheed-2.0/certs/ssl.smtp.example.com:25.pem </dev/null >/dev/null
(add "-starttls smtp" if required previously.)
unlike previously, there should be no "verify error:num=..." lines in the
output of that command.
for purposes of use with sylpheed (and other openssl-based applications),
you might have to create a hashed symlink to the cert file:
ln -s ssl.smtp.example.com:25.pem \
~/.sylpheed-2.0/certs/$(openssl x509 -hash -noout \
<~/.sylpheed-2.0/certs/ssl.smtp.example.com:25.pem).0
test the hashed symlink with:
openssl s_client -connect ssl.smtp.example.com:25 -CApath \
~/.sylpheed-2.0/certs/ </dev/null >/dev/null
the output to that last command should be identical to the previous test
(using the "-CAfile" option).
BUT ALL THAT DOES NOTHING TO INSURE SECURITY WITHOUT VERIFYING THE
AUTHENTICITY OF THE CERTIFICATE!
if you followed my above instructions (placed "-fingerprint" before
"-text"), then the first line of the certificate file should contain the
sha1 fingerprint of the certificate.
head -n1 ~/.sylpheed-2.0/certs/ssl.smtp.example.com:25.pem
(otherwise grep the cert for '^SHA1 Fingerprint='.)
this fingerprint needs to be verified by the owner of the certificate (ie
server administrator or someone else who can generate the sha1 fingerprint
of the certificate that physically resides on the server). without
verification, the certificate is unauthenticated and unproven to be the
certificate used by the server (due to a man-in-the-middle attack, dns
poisoning, etc).
corey
--
[EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
