I'm puzzled about how to set up server certificate validation in getting my email, which isn't surprising given that I understand next to nothing about the way certificates work. Here's the particular issue. I want to check over ssl/tls to see that the server certificate is valid, and that it matches a fingerprint I have for it. So, I know just enough to get the certificate from the server, in this case from Google: $ openssl s_client -connect pop.gmail.com:995 -showcerts > ~/gmail.openssl.txt By inspection I can see that the certificate is provided by GlobalSign. So I do a quick check: $ ls -l /etc/ssl/certs/GlobalSign* Lo and behold, there is an obvious hit: GlobalSign_Root_CA.pem. So I put that down as the certificate for the server. Then, I can get the fingerprint for it from the same file, like so: $ openssl x509 -fingerprint -sha256 -noout -in ~/gmail.openssl.txt > gmail.fingerprint.txt (Getmail uses sha256 as its preferred algorithm.) I take the fingerprint from the file and use that to certify the server. Thing is, the technique doesn't work. First I get an unhelpful error message saying that the certificate, GlobalSign_Root_CA.pem, gives an authentication error. Well, okay. If I take that out of the equation I then get told that the fingerprint is wrong, but this time at least I'm told what the correct fingerprint is -- and if I put the correct one in all seems well. The example above is about gmail, but I have the same problem with rogers and other servers. Oddly, the Office365 servers work exactly as they should. Two questions, which most of you undoubtedly know the answer to: [1] If the email gets fetched with the fingerprint, is there any need for validating the server certificate? [2] How can I find out what the correct server certificate is? -- Peter King peter.king@utoronto.ca Department of Philosophy 170 St. George Street #521 The University of Toronto (416)-978-3311 dept Toronto, ON M5R 2M8 CANADA http://individual.utoronto.ca/pking/ ========================================================================= GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42) gpg --keyserver pgp.mit.edu --recv-keys 7587EC42