[Eisfair] Re3a Ergänzung Fingerprints-Prüfung

Alex Busam abusam at gmx.de
Do Nov 1 23:46:08 CET 2018


> Wie lautet der Fingerprint in der Mailkonfigurationsdatei?
ich tragen ein fake-Fingerprint ein
00:.....ff
dann mit Mail addon certificates update fingerprints
Start request of pop/imap certificates 
                      Requesting: all 
                                            pop.1und1.de:995 in progress 
 
pop.1und1.de:995 Using port 995 
                      pop.1und1.de:995 pop/imap certificate downloaded 
(pop.1und1.de.pem)                            pop.1und1.de:995 Updating 
CRL 
pop.1und1.de:995 Updating all appearances of fingerprint 
                      pop.1und1.de:995 
00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff to 
    pop.1und1.de:995   E8:1F:E0:01:B8:31:23:F8:7D:BE:18:4B:CA:43:BC:4C 



/var/install/bin/certs-show-chain --nogui pop.1und1.de
Show certificate chain (run as 'root')
*
| certificate : pop.1und1.de.pem (255469e9)
| subject     : C = DE O = 11 Internet SE ST = Rheinland-Pfalz L = 
Montabaur CN = pop.1und1.de
| issuer      : C = DE O = T-Systems International GmbH OU = T-Systems 
Trust Center ST = Nordrhein Westfalen postalCode = 57250 L = Netphen 
street = Untere Industriestr. 20 CN = TeleSec ServerPass DE-2
| MD5 f-print : E8:1F:E0:01:B8:31:23:F8:7D:BE:18:4B:CA:43:BC:4C
| SHA1 f-print: FB:A8:54:7E:35:15:D2:8A:55:43:57:A8:53:F7:E8:54:82:EB:E4:B5
|
+->| certificate : telesec_serverpass_de-2.pem (423ece6c)
    | subject     : C = DE O = T-Systems International GmbH OU = 
T-Systems Trust Center ST = Nordrhein Westfalen postalCode = 57250 L = 
Netphen street = Untere Industriestr. 20 CN = TeleSec ServerPass DE-2
    | issuer      : C = DE O = Deutsche Telekom AG OU = T-TeleSec Trust 
Center CN = Deutsche Telekom Root CA 2
    | MD5 f-print : 0F:3A:F8:54:C5:AB:0F:08:85:72:91:02:E5:77:76:F2
    | SHA1 f-print: 
98:66:2C:9A:0D:09:47:E3:DE:92:8A:FE:4C:15:C8:0B:38:4E:8C:CA
    |
    +->| certificate : Deutsche_Telekom_Root_CA_2.pem (812e17de)
       | subject     : C = DE O = Deutsche Telekom AG OU = T-TeleSec 
Trust Center CN = Deutsche Telekom Root CA 2
       | issuer      : C = DE O = Deutsche Telekom AG OU = T-TeleSec 
Trust Center CN = Deutsche Telekom Root CA 2
       | MD5 f-print : 74:01:4A:91:B1:08:C4:58:CE:47:CD:F0:DD:11:53:08
       | SHA1 f-print: 
85:A4:08:C0:9C:19:3E:5D:51:58:7D:CD:D6:13:30:FD:8C:DE:37:BF
       |
       +-> end of chain!

checking certificate chain:
/usr/local/ssl/certs/pop.1und1.de.pem: OK
     Last Update: Oct 29 13:10:13 2018 GMT
     Next Update: Nov  3 13:10:13 2018 GMT


Hier sind die Fingerprints also gleich, wie Du auch schon sagtest.
Aber beim nächsten automatischen Fetchmail:
Dispatched from fetchmail agent on server 'myeis'
Current Date: 2018-11-01 Time: 23:42:19

fetchmail: awakened at Thu, 01 Nov 2018 23:42:15 (CET)
fetchmail: pop.1und1.de fingerprints do not match!
fetchmail: OpenSSL reported: error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify failed
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from mmmmmm at mmmmmmm.de@pop.1und1.de
fetchmail: Query status=2 (SOCKET)
fetchmail: sleeping at Thu, 01 Nov 2018 23:42:19 (CET) for 180 seconds

Starting Fingerprint Update
  pop.1und1.de


Jetzt bin ich gespannt was die Lösung ist

Viele Grüße
Alex



Mehr Informationen über die Mailingliste Eisfair