SSL fingerprints mailserver : SMG’s Weblog
SSL fingerprints mailserver
I use fetchmail to pull down my mail from the mailserver, just now the ssl fingerprints changed
leading to an error like:
fetchmail: <mailserver> fingerprints do not match!
12096:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:../../../../common/openssl/ssl/s3_clnt.c:894:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from <userid>@<mailserver>
fetchmail: Query status=2 (SOCKET)
So to get the new fingerprint, firstly get the changed ssl cert:
openssl s_client -connect <mailserver>:<port> -showcerts
and copy say the first cert to a file <mailserver>.pem. Now generate
the SSL fingerprint of this pem file:
openssl x509 -fingerprint -md5 -noout -in <mailserver>.pem
MD5 Fingerprint=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
and put it in the .fetchmailrc file:
poll <mailserver> protocol imap port <port>
username <userid>
ssl sslfingerprint XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
sslcertpath /path/to/certs
Whew, nice and quick, thanks to google 🙂