* a few more type fixes for report/snprintf, patch by Miloslav Trmac.
* bouncing: fetchmail would still send "General SMTP/ESMTP error." bounces
in spite of "no bouncemail" configuration.
+* SSL/TLS: if, for a certain server, an sslfingerprint is specified and
+ sslcertck is NOT set, suppress printing SSL certificate mismatch errors.
+ (Reported by Hannes Erven.)
+* SSL/TLS: always print if the sslfingerprint mismatches, even in silent
+ mode. (This is for consistency with certificate verification errors.)
# CHANGES:
* pidfile: there is a new command-line (--pidfile PATH) and global option for
Causes fetchmail to strictly check the server certificate against a set of
local trusted certificates (see the \fBsslcertpath\fR option). If the server
certificate is not signed by one of the trusted ones (directly or indirectly),
-the SSL connection will fail. This checking should prevent man-in-the-middle
-attacks against the SSL connection. Note that CRLs are seemingly not currently
-supported by OpenSSL in certificate verification! Your system clock should
-be reasonably accurate when using this option!
+the SSL connection will fail, regardless of the \fBsslfingerprint\fR
+option. This checking should prevent man-in-the-middle attacks against
+the SSL connection. Note that CRLs are seemingly not currently supported
+by OpenSSL in certificate verification! Your system clock should be
+reasonably accurate when using this option.
+.IP
+Note that this optional behavior may become default behavior in future
+fetchmail versions.
.TP
.B \-\-sslcertpath <directory>
(Keyword: sslcertpath)
and the one fetchmail uses to report the fingerprint when an SSL connection
is established. When this is specified, fetchmail will compare the server key
fingerprint with the given one, and the connection will fail if they do not
-match. This can be used to prevent man-in-the-middle attacks.
+match regardless of the \fBsslcertck\fR setting.
+This can be used to prevent man-in-the-middle attacks, but the finger
+print from the server needs to be obtained or verified over a secure
+channel, and certainly not over the same Internet connection that
+fetchmail would use.
+.IP
+Using this option will prevent printing certificate verification errors
+as long as \-\-sslcertck is unset.
.IP
To obtain the fingerprint of a certificate stored in the file cert.pem,
try:
}
/* Print the finger print. Note that on errors, we might print it more than once
* normally; we kluge around that by using a global variable. */
- if (_check_fp) {
+ if (_check_fp == 1) {
unsigned dp;
- _check_fp = 0;
+ _check_fp = -1;
digest_tp = EVP_md5();
if (digest_tp == NULL) {
report(stderr, GT_("EVP_md5() failed!\n"));
if (outlevel > O_NORMAL)
report(stdout, GT_("%s fingerprints match.\n"), _server_label);
} else {
- if (outlevel > O_SILENT)
- report(stderr, GT_("%s fingerprints do not match!\n"), _server_label);
+ report(stderr, GT_("%s fingerprints do not match!\n"), _server_label);
return (0);
}
- }
- }
- }
+ } /* if (_check_digest != NULL) */
+ } /* if (_check_fp) */
+ } /* if (depth == 0 && !_depth0ck) */
- if (err != X509_V_OK && err != _prev_err) {
- _prev_err = err;
+ if (err != X509_V_OK && err != _prev_err && !(_check_fp != 0 && _check_digest && !strict)) {
+ _prev_err = err;
report(stderr, GT_("Server certificate verification error: %s\n"), X509_verify_cert_error_string(err));
/* We gave the error code, but maybe we can add some more details for debugging */
switch (err) {