Off-tangent... Can someone do a talk on "SSL/TLS Certificate" for users, sysadmin, and application programmers level? Like, - how to create certificate - what fields to populate when create certificate. It seems to be sensitive to expiry date, certain fields, etc. - how to install them, at server side and at client side. I understand SSH private/public keys. But, for the life of me, I don't understand SSL/TLS or OpenSSL package. -- William Park <opengeometry@yahoo.ca> On Mon, Jul 16, 2018 at 09:16:48PM -0400, Peter King via talk wrote:
I'm puzzled about how to set up server certificate validation in getting my email, which isn't surprising given that I understand next to nothing about the way certificates work.
Here's the particular issue. I want to check over ssl/tls to see that the server certificate is valid, and that it matches a fingerprint I have for it. So, I know just enough to get the certificate from the server, in this case from Google:
$ openssl s_client -connect pop.gmail.com:995 -showcerts > ~/gmail.openssl.txt
By inspection I can see that the certificate is provided by GlobalSign. So I do a quick check:
$ ls -l /etc/ssl/certs/GlobalSign*
Lo and behold, there is an obvious hit: GlobalSign_Root_CA.pem. So I put that down as the certificate for the server.
Then, I can get the fingerprint for it from the same file, like so:
$ openssl x509 -fingerprint -sha256 -noout -in ~/gmail.openssl.txt > gmail.fingerprint.txt
(Getmail uses sha256 as its preferred algorithm.) I take the fingerprint from the file and use that to certify the server.
Thing is, the technique doesn't work. First I get an unhelpful error message saying that the certificate, GlobalSign_Root_CA.pem, gives an authentication error. Well, okay. If I take that out of the equation I then get told that the fingerprint is wrong, but this time at least I'm told what the correct fingerprint is -- and if I put the correct one in all seems well.
The example above is about gmail, but I have the same problem with rogers and other servers. Oddly, the Office365 servers work exactly as they should.
Two questions, which most of you undoubtedly know the answer to:
[1] If the email gets fetched with the fingerprint, is there any need for validating the server certificate?
[2] How can I find out what the correct server certificate is?
-- Peter King peter.king@utoronto.ca Department of Philosophy 170 St. George Street #521 The University of Toronto (416)-978-3311 dept Toronto, ON M5R 2M8 CANADA
http://individual.utoronto.ca/pking/
========================================================================= GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC 36F5 1FE6 D32A 7587 EC42) gpg --keyserver pgp.mit.edu --recv-keys 7587EC42
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk