[fetchmail]disable ssl cert check

Matthias Andree matthias.andree@gmx.de
Thu, 06 Apr 2006 11:19:49 +0200 

Hannes Erven <h.e@gmx.at> writes:

> Matthias Andree wrote:

>> The (justified) complaint was that "nosslcertck" does not exist.
>
> One already can leave sslcertck out.
> (I expected that that has the same effect as "nosslcertck"...)

Yes, same effect.

>> I don't plan to add this option however, because the user might just as
>> well not use ssl/tls at all to achieve the same purpose.
>> I'm not going to to take part in new "creating false feeling of
>> security" games.
>
> Do you say that verfiying ssl certificate fingerprints against known
> values does create a false feeling of security?

No, but disabling SSL certificate checking is the wrong way to go -- and
users actually have to obtain the fingerprint via some safe channel, and
there's some hen-and-egg-problem.

> My university's ssl certs expired recently, and it took several weeks
> for them to get new ones. An intermediate solution was to use self
> signed certificates on the servers and publish their fingerprints.

Well, usually they publish fingerprints of their _root_ certificates
they sign with (or at least they should, so as not to publish a dozen
fingerprints for certificates of a dozen central servers).

> When fetching mail with fetchmail - even with sslfingerprint and without
> sslcertck! - there was on each and every fetching attempt a line written
> out: "Warning: self-signed certificate" (or like that)...

Ah, I see the problem. I'll see to fixing this before 6.3.4.

> This is even more annoying when you use cron to kick off your poll,
> because cron happily sends an email containing the output of
> fetchmail.

Cron is inferior to daemon mode, because fetchmail keeps some state
information in daemon mode and sends warnings. OK, cron will also mail
such warnings, but I don't want to hear about "temporary error, try
again later" if it happens just in one out of 6 polls per hour.

> It would be kind of you if you could provide more detail on why you feel
> that sslfingerprint creates a false feeling of security.

Not sslfingerprint does, but trying to defeat justified warnings does.

Note though, that if there's a man-in-the-middle attack in progress,
that attacker can easily exchange information on web sites, too, to
match the fingerprints to his fake certificates. A placard in a locked
showcase next to the NOC bureau door would work better...

-- 
Matthias Andree