SSL fingerprints mailserver : SMG’s Weblog

SSL fingerprints mailserver

I use fetchmail to pull down my mail from the mailserver, just now the ssl fingerprints changed

leading to an error like:

fetchmail: <mailserver> fingerprints do not match!

12096:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:../../../../common/openssl/ssl/s3_clnt.c:894:

fetchmail: SSL connection failed.

fetchmail: socket error while fetching from <userid>@<mailserver>

fetchmail: Query status=2 (SOCKET)

So to get the new fingerprint, firstly get the changed ssl cert:

openssl s_client -connect <mailserver>:<port> -showcerts

and copy say the first cert to a file <mailserver>.pem. Now generate

the SSL fingerprint of this pem file:

openssl x509 -fingerprint -md5 -noout -in <mailserver>.pem

MD5 Fingerprint=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

and put it in the .fetchmailrc file:

poll <mailserver> protocol imap port <port>

username <userid>

ssl sslfingerprint XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

sslcertpath /path/to/certs

Whew, nice and quick, thanks to google 🙂

viaSSL fingerprints mailserver : SMG’s Weblog.