[gentoo-user] Import SSL Certificate Authority

Thu, 02 Mar 2006 09:28:38 -0800 

Hi all, 

  I use fetchmail to retrieve mail from my university's IMAP server
with SSL enabled. After an upgrade to the latest stable version,
whenever I run fetchmail, I get the following output:

[12:12 PM]wwong ~ $ fetchmail
fetchmail: Server certificate verification error: unable to get local issuer 
certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first 
certificate

But since I didn't request fetcmail to strictly match certificates,
the mail still downloads fine. Now, the server certificate from the
university mail server is signed by the university's computing staff,
and I know that if I use webmail or other resources, I can download
the certificate and, when a dialog pops up asking if I want to trust
the CA, I can set it so that firefox won't ask anymore in the future. 

My question is, how do I import a certificate authority so that
fetchmail would recognize it? From the man page it says

       --sslcertck
              (Keyword: sslcertck) Causes  fetchmail  to  strictly  check  the
              server  certificate  against a set of local trusted certificates
              (see the sslcertpath option). If the server certificate  is  not
              signed  by one of the trusted ones (directly or indirectly), the
              SSL connection will fail. This checking should  prevent  man-in-
              the-middle  attacks  against  the SSL connection. Note that CRLs
              are seemingly not currently supported by OpenSSL in  certificate
              verification!  Your  system  clock should be reasonably accurate
              when using this option!

       --sslcertpath <directory>
              (Keyword: sslcertpath) Sets the directory fetchmail uses to look
              up  local certificates. The default is your OpenSSL default one.
              The directory must be hashed as OpenSSL expects it - every  time
              you  add  or  modify a certificate in the directory, you need to
              use the c_rehash tool (which comes with OpenSSL  in  the  tools/
              subdirectory).

so I guess my question is how to import a certificate into OpenSSL?

Thanks, 

Willie
-- 
Bakers trade bread recipes on a knead to know basis.
Sortir en Pantoufles: up 110 days,  9:37
-- 
[email protected] mailing list

Reply via email to