* R Denison <gaijin@gci.net> [111019 02:56]:
> On 10/18/2011 03:24 PM, Tim Johnson wrote:
> > I've been as of lately setting up email on a mac mini with Lion (OSX
> > 10.7).
> [...snip...]
>
> Just to verify I'm attempting to offer a solution to the correct problem:
>
> You don't want the error messages shown.
>
> Possible solutions:
Thanks for the reply. I'm a little irritated that the hostmonsters
techs have not yet contacted me after requesting to look at my
.fetchmailrc
I've considered just adding the certs as you indicate below...
and I could even use a script to 'weed' the cert compaints and
backup the logs regularly if I so wished, but is a rigged solution.
>
> --silent passed as a parameter to your fetchmail invocation may
> suppress these messages, as you're not using the --sslcertck parameter.
> Can't hurt to try.
>
> Append "2>&1 > /dev/null" to the end of your fetchmail command. This
> forces anything written to STDERR to be re-directed to STDOUT, and then
> dumped to /dev/null. Not a great solution as it may dump other useful
> messages as well.
>
> Better solutions:
>
> See if it's possible to use the MacOSX CA certs instead - frankly
> this doesn't sound like it will bear fruit (no pun intended), as it
> looks like OSX has moved away from OpenSSL to their "Common Crypto"
> libraries (1).
>
> Find the location openssl is searching for the CA cert files and add
> the appropriate CA certs; looks like this is reasonably well documented
> for a different provider here:
>
> http://fastmail.wikia.com/wiki/ConfiguringFetchmail
>
> THERE ARE DIFFERENCES: for example, where they used 'wget' to
> download the CA Certs for their Certificate provider? Won't work here.
> You should be able to get the correct certs from the certificates
> installed with a reasonably current Linux install (E.G. Ubuntu 10.10 has
> links to them in /etc/ssl/certs, or you can find the cert files in
> /usr/share/ca-certificates/mozilla/).
>
> You should be able to get the names of the certs you need by
> executing this command:
>
> openssl s_client -connect host266.hostmonster.com:995
> ...snip...
> ---
> Certificate chain
> 0 s:/OU=Domain Control Validated/OU=PositiveSSL
> Wildcard/CN=*.hostmonster.com
> i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA
> Limited/CN=PositiveSSL CA
> 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA
> Limited/CN=PositiveSSL CA
> i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http:
> //www.usertrust.com/CN=UTN-USERFirst-Hardware
> 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http:
> //www.usertrust.com/CN=UTN-USERFirst-Hardware
> i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> ...snip...
>
> Starting from the bottom and working up:
>
> /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
>
> /usr/share/ca-certificates/mozilla/UTN_USERFirst_Hardware_Root_CA.crt
>
> /usr/share/ca-certificates/mozilla/Comodo_Trusted_Services_root.crt
>
> Last one I had to guess at - there are several Comodo CA certs, to
> verify I had the right one I ran the following command:
>
> openssl x509 -text -in
> /usr/share/ca-certificates/mozilla/Comodo_Trusted_Services_root.crt
>
> Please, exercise caution in getting the certificates you need. Don't
> accept them from any random jack-wagon on the Internet - installing CA
> certificates from unvetted sources is an excellent way to eliminate any
> security you might have gotten from using SSL in the first place.
>
> And when you're done, you can verify it works using this command:
>
> openssl s_client -verify 3 -CApath $YOUR_CERT_DIRECTORY -connect
> host266.hostmonster.com:995
>
> Look for the following code near the very bottom of the (copious) output:
>
> Verify return code: 0 (ok)
>
> R.
>
> 1)
> http://ludovicrousseau.blogspot.com/2011/08/mac-os-x-lion-and-openssl.html
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
-- Tim tim at tee jay forty nine dot com or akwebsoft dot com http://www.akwebsoft.com --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Wed Oct 19 07:24:32 2011
This archive was generated by hypermail 2.1.8 : Wed Oct 19 2011 - 07:24:32 AKDT