Re: fetchmail - google certificate

[Joseph]

On 10/23/10 12:34, Breen Mullins wrote:

* Joseph <syscon...@gmail.com> [2010-10-23 12:50 -0600]:

I'm using command:
openssl s_client -connect pop.gmail.com:995 -showcerts

and it printed out:

--------copy---------------
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
  i:/C=US/O=Google Inc/CN=Google Internet Authority
-----BEGIN CERTIFICATE-----

[...]

-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
  i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----

[...]

-----END CERTIFICATE-----

[...]

So I assume the first one is gmail.pem certificate
the second was was equifax.pem certificate

No. Both of those were sent by the Google server. The first is for the
server, and was issued by Google's own signing authority. The second
is the Google signing authority certificate, which is issued by Equifax.
Note the s: and i: lines for each cert.
(It's complicated but allowed by the standards.)

If the server were allowed to send a copy of a certificate authority's
cert as well as the server one, a bad guy could just forge the whole
chain and you'd accept it and never be the wiser. You're supposed to
get independent verification of the validity of the certificate
chain. That usually means that you get the cert from your OS vendor
at install time.

Please don't leave the mailing list off replies.

Breen
--
Breen Mullins
b...@sdf.org

I'm confused.  Where do I get: equifax.pem certificate?

I've run:
openssl s_client -connect pop.gmail.com:995 -CApath ~/.mutt/cert/

and it returns status OK (I think).

-------copy---------------
openssl s_client -connect pop.gmail.com:995 -CApath ~/.mutt/cert/
CONNECTED(00000003)
depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = 
pop.gmail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWjCCAsOgAwIBAgIKFNMahgADAAASkDANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMDA0MjIyMDExMjNaFw0xMTA0MjIyMDIxMjNa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC701lFBdiiC0BB
JEo2U1wmmS6Gv+qr4bjG6xeCSgb0UGI2vN1ifYyrf/wj1jBLupou+Ds+s0zLzE5Y
vsADQvu+pkDXoOcnK2YxiOiuZaGOSRKC2b0rbg4oYyS1TogEBcX+KpUxWQNpccW6
FPzpSVtmiG4azMUIR0mM2HERnwke/wIDAQABo4IBLDCCASgwHQYDVR0OBBYEFJr4
/CBophXvQNM/AFWw8zu5EXKiMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrj
axIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29v
Z2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3Js
MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGlj
LmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkq
hkiG9w0BAQUFAAOBgQDETrSXXdPv8yvPZ5cR8yupyXlHzUvA5rNVFzOmBE/QCrNx
wLHDMP36+axPMWp+uraNfsc798zHES0GDgz+P97KItu8T75ysvjUUpWKeeuHcYHh
QSGi5iYB7XxEB9oCnSC9tpq8el2/mWFvVJSO69bO+zDOqgFPJ/GZYIxWgglMqA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1845 bytes and written 393 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 74301E58F2ECE3F95927D5FBDEE775EB14DC175F98AA13BDA7369959CC3570E0
    Session-ID-ctx:
    Master-Key: 
DDDD19B9105956CA02CB148083B5A48426B6DC42F08D900CD18AE1D1764102986B4A3372EDC87462DB60A60B01FC0E0E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 59 91 3e e9 f6 d3 78 f8-0a 17 37 d5 aa c7 2c 29   Y.>...x...7...,)
    0010 - c0 59 8f d2 62 3b e8 e5-71 f0 4e ae 8b f1 77 b3   .Y..b;..q.N...w.
    0020 - 97 eb 3c 03 4e 2a b6 7a-9f e5 62 3e 38 4f 82 5b   ..<.N*.z..b>8O.[
    0030 - 58 79 cd 73 6c 4e f0 c7-0a 33 1b 41 5b 60 a7 ac   Xy.slN...3.A[`..
    0040 - 76 f0 80 8d ff a4 76 70-ba 93 af ef 87 5c 6c 8e   v.....vp.....\l.
    0050 - 8e 13 34 ec f2 a8 35 c6-c0 6f f2 53 61 ec 1f 04   ..4...5..o.Sa...
    0060 - e9 ca 55 fd cb 36 81 84-19 6c 4b 9d e4 1a 8b ea   ..U..6...lK.....
    0070 - 28 eb 1a cf e5 5f 94 07-92 3f db cb 95 de ab fe   (...._...?......
    0080 - ba 6f c7 b0 0a 3c e1 08-ee 00 b2 fd ed b8 62 3b   .o...<........b;
    0090 - 93 ee f1 56                                       ...V

    Start Time: 1287863393
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK Gpop ready for requests from 68.148.245.78 m10pf20588676ibu.13
read:errno=0
----------end copy-------------

--
Joseph