SSL fingerprint verification

Johannes Stezenbach js at sig21.net
Tue Aug 30 16:17:59 BST 2011


Hi,

On Tue, Aug 30, 2011 at 02:19:37PM +0200, Sebastian Spaeth wrote:
> I found some time to implement SSL server fingerprint verification. If
> we connect via SSL (not STARTTLS), and we have no CA certificate
> specified for verification, we will check the server SSL cert
> fingerprint. If it doesn't match a fingerprint string that the user has
> configured we bail out with an error:
> 
> ERROR: Server SSL fingerprint '17f7f2ff4a9dc3d32b8ae91247c4a428' for
> hostname 'mail.dreamhost.com' does not match configured
> fingerprint. Please verify and set 'sslfingerprint' accordingly if not
> set yet.
> 
> This means you need to configure:
> 
> sslfingerprint = 17f7f2ff4a9dc3d32b8ae91247c4a428
> 
> in the repository section of your mail server. This check is performed
> every time we connect to the server.
> 
> The fingerprint is the md5.hexdigest() of the binary SSL server cert.
> 
> Would something like this be of interest? Feedback? Patch as reply...

Yes, it is of interest.  A few comments, though:

- I'd prefer SHA-1 over MD5 since MD5 is weaker
  (actually SHA-256 might be an even better choice, but MD5 and SHA-1
  are commonly used for certificate fingerprints)

- IMHO "certfingerprint" would be a better name than "sslfingerprint"

- cert fingerprint check is a stronger check than CA certificate
  chain validation ("exactly this cert" vs. "any valid cert for X"),
  so if both are configured the fingerprint check needs to be done.
  It is useful to do both since the fingerprint check alone
  won't check e.g. expiration dates (but sometimes this is exactly
  what you want, if you trust the cert even if it is invalid/expired
  e.g. because you have created it yourself)


Thanks
Johannes




More information about the OfflineIMAP-project mailing list