On Sun, Jan 24, 2016 at 3:43 PM, John Hudak <jjhu...@gmail.com> wrote: > I installed msmtp on opensuse 13.2 using yast from the package repositiory. > tls_trust_file /etc/ssl/certs/ca-certificates.crt
If that's suse's big global ca file, it may be old, inspect and try... https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt > cannot load trust file /etc/ssl/certs/ca-certificates.crt: > error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match I don't recall that specific error but google uses an intermediate private ca that probably isn't in that global set, get it from the gmail server cert. See... openssl s_client -connect | openssl x509 -text > If I comment out the line and add tls_certcheck off, the program appears to > work, e.g. I get mail at gmail. Pinning down the fingerprint is needed for better security, theirs changes often. And you want narrow per server configs so you don't end up trusting the whole global set in the trust file. Also useful... openssl verify https://github.com/agl/extract-nss-root-certs > So, I am a novice at cert mgmt, how can this be fixed? Search around on the commands above in order to validate your cert chain. ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 _______________________________________________ msmtp-users mailing list msmtp-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/msmtp-users
