-The really paranoid (who chose to not trust a CA) can check the fingerprint of
-the public key that is used by the server. The fingerprint is a hash of that
-key that (hopefully) has few collisions and is hard to attack using a "birthday
-attack", i.e. nobody can generate a second key that hashes to the same value
-of the original key in reasonable time. So, if the fingerprint matches, you
-can be reasonable sure that you talk to the original server, because only that
-knows the secret key, and it is very hard to generate a matching secret key from
-the public key. If it doesn't, it might be an attack, but keep in mind that the
-server key may also have changed legitimately before panicing ;)
-
-fetchmail will present the fingerprint to you. Another mode, that strictly
-checks the fingerprint, is available (using the sslfingerprint option, and
-giving the desired fingerprint as an argument). If you want to check finger-
-prints, you should use that option, because otherwise, it may be too late
-to cancel if you see the fingerprint (your password may already have been
-transmitted)!
-
-The certificate directory must be hashed in a way OpenSSL expects it: each
-time you modify a file in that directory or add a file to it, you need
-to use the c_rehash perl script that comes with OpenSSL (in the tools/
-subdirectory, in case that it isn't installed). Additionally, you might
-need to convert the ceriticates to different formats (the PEM format is expected
-and usually is available, DER is another one; you can convert between
-both using the openssl(1) utility).
-
-The fingerprints fetchmail uses are MD5 sums. You can generate them e.g. useing
-the openssl(1) "x509 -fingerprint" command. The format is a hexadecimal string
-with a ":" separating two byes (i.e. a ":" every two hex "digits"). The letter
-hex digits must be in upper case!
-
-*CAVEAT*: OpenSSL seems to be unable to check CRLs at the moment!
+The certificate directory must be hashed in a way OpenSSL expects it: each time
+you modify a file in that directory or add a file to it, you need to use the
+"c_rehash" perl script that comes with OpenSSL (in the tools/ subdirectory, in
+case that it is not installed). Additionally, you might need to convert the
+certificates to different formats (the PEM format is expected and usually is
+available, DER is another one; you can convert between both using the
+openssl(1) utility's x509 sub-mode).
+
+The really paranoid (who chose to not trust a CA) can check the fingerprint of
+the public key that is used by the server. The fingerprint is a hash of that
+key that (hopefully) has few collisions and is hard to attack using a "birthday
+attack", i.e. nobody can generate a second key that hashes to the same value of
+the original key in reasonable time. So, if the fingerprint matches, you can be
+reasonably sure that you are talking to the original server, because
+only that server knows the secret key, and it is very hard to generate a
+matching secret key from the public key. If the fingerprint does not
+match, there might be an attack, but, before panicking, keep in mind
+that the server key may also have changed legitimately.
+
+Fetchmail will present the fingerprint to you in verbose mode. You can have
+fetchmail check the fingerprint (using the "sslfingerprint" option, and giving
+the desired fingerprint as an argument).
+
+The fingerprints fetchmail uses are MD5 sums. You can generate them e.g. using
+openssl(1)'s "x509 -fingerprint" command. The format is a hexadecimal string
+with a ":" separating two bytes (i.e. a ":" between every two hex "digits"). The
+match is case insensitive since release 6.3.10 (upper-case digits A to F were
+required up to and including release 6.3.9).
+
+*CAVEAT*: OpenSSL must be at least version 0.9.7 to be able to check CRLs.