From 45b7b420fa0405c21a6d2c31bfc64778bdbdf292 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Thu, 6 Apr 2006 09:47:28 +0000 Subject: * SSL/TLS: if, for a certain server, an sslfingerprint is specified and sslcertck is NOT set, suppress printing SSL certificate mismatch errors. (Reported by Hannes Erven.) * SSL/TLS: always print if the sslfingerprint mismatches, even in silent mode. (This is for consistency with certificate verification errors.) svn path=/branches/BRANCH_6-3/; revision=4781 --- fetchmail.man | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) (limited to 'fetchmail.man') diff --git a/fetchmail.man b/fetchmail.man index 662ecf3a..2fbd5207 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -411,10 +411,14 @@ on context. Causes fetchmail to strictly check the server certificate against a set of local trusted certificates (see the \fBsslcertpath\fR option). If the server certificate is not signed by one of the trusted ones (directly or indirectly), -the SSL connection will fail. This checking should prevent man-in-the-middle -attacks against the SSL connection. Note that CRLs are seemingly not currently -supported by OpenSSL in certificate verification! Your system clock should -be reasonably accurate when using this option! +the SSL connection will fail, regardless of the \fBsslfingerprint\fR +option. This checking should prevent man-in-the-middle attacks against +the SSL connection. Note that CRLs are seemingly not currently supported +by OpenSSL in certificate verification! Your system clock should be +reasonably accurate when using this option. +.IP +Note that this optional behavior may become default behavior in future +fetchmail versions. .TP .B \-\-sslcertpath (Keyword: sslcertpath) @@ -432,7 +436,14 @@ hex digits must be in upper case. This is the default format OpenSSL uses, and the one fetchmail uses to report the fingerprint when an SSL connection is established. When this is specified, fetchmail will compare the server key fingerprint with the given one, and the connection will fail if they do not -match. This can be used to prevent man-in-the-middle attacks. +match regardless of the \fBsslcertck\fR setting. +This can be used to prevent man-in-the-middle attacks, but the finger +print from the server needs to be obtained or verified over a secure +channel, and certainly not over the same Internet connection that +fetchmail would use. +.IP +Using this option will prevent printing certificate verification errors +as long as \-\-sslcertck is unset. .IP To obtain the fingerprint of a certificate stored in the file cert.pem, try: -- cgit v1.2.3