[GTALUG] SSL Server Certificate

Peter King peter.king at utoronto.ca
Mon Jul 16 21:16:48 EDT 2018 

I'm puzzled about how to set up server certificate validation in getting
my email, which isn't surprising given that I understand next to nothing
about the way certificates work.

Here's the particular issue.  I want to check over ssl/tls to see that the
server certificate is valid, and that it matches a fingerprint I have for
it.  So, I know just enough to get the certificate from the server, in this
case from Google:

  $ openssl s_client -connect pop.gmail.com:995 -showcerts > ~/gmail.openssl.txt

By inspection I can see that the certificate is provided by GlobalSign.  So
I do a quick check:

  $ ls -l /etc/ssl/certs/GlobalSign*

Lo and behold, there is an obvious hit: GlobalSign_Root_CA.pem.  So I put
that down as the certificate for the server.

Then, I can get the fingerprint for it from the same file, like so:

   $ openssl x509 -fingerprint -sha256 -noout -in ~/gmail.openssl.txt > gmail.fingerprint.txt

(Getmail uses sha256 as its preferred algorithm.)  I take the fingerprint
from the file and use that to certify the server.


Thing is, the technique doesn't work.  First I get an unhelpful error
message saying that the certificate, GlobalSign_Root_CA.pem, gives an
authentication error.  Well, okay.  If I take that out of the equation
I then get told that the fingerprint is wrong, but this time at least
I'm told what the correct fingerprint is -- and if I put the correct one
in all seems well.

The example above is about gmail, but I have the same problem with rogers
and other servers.  Oddly, the Office365 servers work exactly as they
should.

Two questions, which most of you undoubtedly know the answer to:

[1] If the email gets fetched with the fingerprint, is there any need for
    validating the server certificate?

[2] How can I find out what the correct server certificate is?


-- 
Peter King			 	peter.king at utoronto.ca
Department of Philosophy
170 St. George Street #521
The University of Toronto		   (416)-978-3311 dept
Toronto, ON  M5R 2M8
       CANADA

http://individual.utoronto.ca/pking/

=========================================================================
GPG keyID 0x7587EC42 (2B14 A355 46BC 2A16 D0BC  36F5 1FE6 D32A 7587 EC42)
gpg --keyserver pgp.mit.edu --recv-keys 7587EC42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://gtalug.org/pipermail/talk/attachments/20180716/d0d3c0d6/attachment.sig>

More information about the talk mailing list