On 10/18/2011 03:24 PM, Tim Johnson wrote:
> I've been as of lately setting up email on a mac mini with Lion (OSX
> 10.7).
[...snip...]
Just to verify I'm attempting to offer a solution to the correct problem:
You don't want the error messages shown.
Possible solutions:
--silent passed as a parameter to your fetchmail invocation may
suppress these messages, as you're not using the --sslcertck parameter.
Can't hurt to try.
Append "2>&1 > /dev/null" to the end of your fetchmail command. This
forces anything written to STDERR to be re-directed to STDOUT, and then
dumped to /dev/null. Not a great solution as it may dump other useful
messages as well.
Better solutions:
See if it's possible to use the MacOSX CA certs instead - frankly
this doesn't sound like it will bear fruit (no pun intended), as it
looks like OSX has moved away from OpenSSL to their "Common Crypto"
libraries (1).
Find the location openssl is searching for the CA cert files and add
the appropriate CA certs; looks like this is reasonably well documented
for a different provider here:
http://fastmail.wikia.com/wiki/ConfiguringFetchmail
THERE ARE DIFFERENCES: for example, where they used 'wget' to
download the CA Certs for their Certificate provider? Won't work here.
You should be able to get the correct certs from the certificates
installed with a reasonably current Linux install (E.G. Ubuntu 10.10 has
links to them in /etc/ssl/certs, or you can find the cert files in
/usr/share/ca-certificates/mozilla/).
You should be able to get the names of the certs you need by
executing this command:
openssl s_client -connect host266.hostmonster.com:995
...snip...
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL
Wildcard/CN=*.hostmonster.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA
Limited/CN=PositiveSSL CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA
Limited/CN=PositiveSSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http:
//www.usertrust.com/CN=UTN-USERFirst-Hardware
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http:
//www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
...snip...
Starting from the bottom and working up:
/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
/usr/share/ca-certificates/mozilla/UTN_USERFirst_Hardware_Root_CA.crt
/usr/share/ca-certificates/mozilla/Comodo_Trusted_Services_root.crt
Last one I had to guess at - there are several Comodo CA certs, to
verify I had the right one I ran the following command:
openssl x509 -text -in
/usr/share/ca-certificates/mozilla/Comodo_Trusted_Services_root.crt
Please, exercise caution in getting the certificates you need. Don't
accept them from any random jack-wagon on the Internet - installing CA
certificates from unvetted sources is an excellent way to eliminate any
security you might have gotten from using SSL in the first place.
And when you're done, you can verify it works using this command:
openssl s_client -verify 3 -CApath $YOUR_CERT_DIRECTORY -connect
host266.hostmonster.com:995
Look for the following code near the very bottom of the (copious) output:
Verify return code: 0 (ok)
R.
1)
http://ludovicrousseau.blogspot.com/2011/08/mac-os-x-lion-and-openssl.html
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Oct 19 02:52:12 2011
This archive was generated by hypermail 2.1.8 : Wed Oct 19 2011 - 02:52:12 AKDT