[Eisfair] Warnungen bei SSL fetchmail

[Marcus Roeckrath]

Hallo Alexander,

Alexander Dahl wrote:

> Vermutlich nicht, solange das Zertifikat insgesamt gültig erscheint. Von
> Thunderbird bspw. ist mir nicht bekannt, dass es Warnungen gibt, wenn
> das Zertifikat wechselt. Wenn da die Kette stimmt, reicht das glaub ich.

Schaut Euch das mal an, habe aus dem fetchmail Debug-Log mal die
Zertifikatspassage rauskopiert:

T-Online falsch:

fetchmail: Certificate chain, from root to peer, starting at depth 2:
fetchmail: Issuer Organization: Deutsche Telekom AG
fetchmail: Issuer CommonName: Deutsche Telekom Root CA 2
fetchmail: Subject CommonName: Deutsche Telekom Root CA 2
fetchmail: Certificate at depth 1:
fetchmail: Issuer Organization: Deutsche Telekom AG
fetchmail: Issuer CommonName: Deutsche Telekom Root CA 2
fetchmail: Subject CommonName: TeleSec ServerPass DE-1
fetchmail: Server certificate:
fetchmail: Issuer Organization: T-Systems International GmbH
fetchmail: Issuer CommonName: TeleSec ServerPass DE-1
fetchmail: Subject CommonName: securepop.t-online.de
fetchmail: Subject Alternative Name: securepop.t-online.de
fetchmail: Subject Alternative Name: popmail.t-online.de
fetchmail: Subject Alternative Name: pop-mail.t-online.de
fetchmail: Subject Alternative Name: secure-pop.t-online.de
fetchmail: Subject Alternative Name: multipop.t-online.de
fetchmail: Subject Alternative Name: pop.t-online.de
fetchmail: securepop.t-online.de key fingerprint:
93:3E:E9:1A:02:0B:6F:49:7E:C5:3B:A4:04:8F:8B:EE
fetchmail: securepop.t-online.de fingerprints do not match!

Und nun der funktionierende GMX-Part. Auffällig, dass das falsche
T-Online-Zertifikat die gleiche Kette der Beglaubigungszertifikate hat:

fetchmail: Certificate chain, from root to peer, starting at depth 2:
fetchmail: Issuer Organization: Deutsche Telekom AG
fetchmail: Issuer CommonName: Deutsche Telekom Root CA 2
fetchmail: Subject CommonName: Deutsche Telekom Root CA 2
fetchmail: Certificate at depth 1:
fetchmail: Issuer Organization: Deutsche Telekom AG
fetchmail: Issuer CommonName: Deutsche Telekom Root CA 2
fetchmail: Subject CommonName: TeleSec ServerPass DE-1
fetchmail: Server certificate:
fetchmail: Issuer Organization: T-Systems International GmbH
fetchmail: Issuer CommonName: TeleSec ServerPass DE-1
fetchmail: Subject CommonName: pop.gmx.net
fetchmail: Subject Alternative Name: pop.gmx.net
fetchmail: Subject Alternative Name: pop.gmx.de
fetchmail: pop.gmx.net key fingerprint:
8A:B7:78:CF:0D:73:4E:EE:FF:EB:B8:C0:90:7D:46:56
fetchmail: pop.gmx.net fingerprints match.

Während das funktionierende alte - und noch immer ausgelieferte -
T-Online-Zertifikat von Verisign beglaubigt sind:

fetchmail: Certificate chain, from root to peer, starting at depth 3:
fetchmail: Issuer Organization: VeriSign, Inc.
fetchmail: Unknown Issuer CommonName
fetchmail: Certificate at depth 2:
fetchmail: Issuer Organization: VeriSign, Inc.
fetchmail: Unknown Issuer CommonName
fetchmail: Subject CommonName: VeriSign Class 3 Public Primary Certification
Authority - G5
fetchmail: Certificate at depth 1:
fetchmail: Issuer Organization: VeriSign, Inc.
fetchmail: Issuer CommonName: VeriSign Class 3 Public Primary Certification
Authority - G5
fetchmail: Subject CommonName: VeriSign Class 3 International Server CA - G3
fetchmail: Server certificate:
fetchmail: Issuer Organization: VeriSign, Inc.
fetchmail: Issuer CommonName: VeriSign Class 3 International Server CA - G3
fetchmail: Subject CommonName: securepop.t-online.de
fetchmail: Subject Alternative Name: securepop.t-online.de
fetchmail: Subject Alternative Name: popmail.t-online.de
fetchmail: Subject Alternative Name: pop-mail.t-online.de
fetchmail: Subject Alternative Name: secure-pop.t-online.de
fetchmail: Subject Alternative Name: multipop.t-online.de
fetchmail: Subject Alternative Name: pop.t-online.de
fetchmail: securepop.t-online.de key fingerprint:
CE:CF:FE:44:69:3A:EF:EF:73:42:97:60:B0:41:95:35
fetchmail: securepop.t-online.de fingerprints match.

PS: Heute Nacht wieder zweimalpassiert.

-- 
Gruss Marcus