diff options
author | Eric S. Raymond <esr@thyrsus.com> | 2001-05-14 06:54:37 +0000 |
---|---|---|
committer | Eric S. Raymond <esr@thyrsus.com> | 2001-05-14 06:54:37 +0000 |
commit | c5a58c018e5a8207bd39a63aedcd8ef206c9d8ab (patch) | |
tree | 0bf23b7047e5dfb584f97a32db1e1714304fcaf4 /fetchmail.man | |
parent | c346e09c465f8365b8d91041f10f56f3c8227213 (diff) | |
download | fetchmail-c5a58c018e5a8207bd39a63aedcd8ef206c9d8ab.tar.gz fetchmail-c5a58c018e5a8207bd39a63aedcd8ef206c9d8ab.tar.bz2 fetchmail-c5a58c018e5a8207bd39a63aedcd8ef206c9d8ab.zip |
SSL certification handling.
svn path=/trunk/; revision=3314
Diffstat (limited to 'fetchmail.man')
-rw-r--r-- | fetchmail.man | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/fetchmail.man b/fetchmail.man index cc7e46a2..030da083 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -310,6 +310,34 @@ server. This can cause some complications in daemon mode. (Keyword: sslproto) Forces an ssl protocol. Possible values are \&`\fBssl2\fR', `\fBssl3\fR' and `\fBtls1\fR'. Try this if the default handshake does not work for your server. +.TP +.B \--sslcertck +(Keyword: sslcertck) +Causes fetchmail to strictly check the server certificate against a set of +local trusted certificates (see the \fBsslcertpath\fR option). If the server +certificate is not signed by one of the trusted ones (directly or indirectly), +the SSL connection will fail. This checking should prevent man-in-the-middle +attacks against the SSL connection. Note that CRLs are seemingly not currently +supported by OpenSSL in certificate verification! Your system clock should +be reasonably accurate when using this option! +.TP +.B \--sslcertpath <directory> +(Keyword: sslcertpath) +Sets the directory fetchmail uses to look up local certificates. The default +is your OpenSSL default one. The directory must be hashed as OpenSSL expects +it - every time you add or modify a certificate in the directory, you need +to use the \fBc_rehash\fR tool (which comes with OpenSSL in the tools/ +subdirectory). +.TP +.B \--sslfingerprint +(Keyword: sslfingerprint) +Specify the fingerprint of the server key (an MD5 hash of the key) in +hexadecimal notation with colons separating groups of two digits. The letter +hex digits must be in upper case. This is the default format OpenSSL uses, +and the one fetchmail uses to report the fingerprint when an SSL connection +is established. When this is specified, fetchmail will compare the server key +fingerprint with the given one, and the connection will fail if they do not +match. This can be used to prevent man-in-the-middle attacks. .SS Delivery Control Options .TP .B \-S <hosts>, --smtphost <hosts> |