aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-12-01 14:26:37 +0100
committerGuilhem Moulin <guilhem@fripost.org>2016-12-01 14:26:37 +0100
commitb399fbee737ebe99491bf1370002bbff00a784e0 (patch)
treeab00dc6b6e97ad8f8cabedbac71a4c5361a81833
parent986edff592c159cb9057e960f380057ff06da939 (diff)
"fingerprint" now only pins the cert's SPKI, not the cert itself.
-rw-r--r--interimap.md17
-rw-r--r--lib/Net/IMAP/InterIMAP.pm4
-rw-r--r--pullimap.md17
3 files changed, 26 insertions, 12 deletions
diff --git a/interimap.md b/interimap.md
index 7d119ab..b923933 100644
--- a/interimap.md
+++ b/interimap.md
@@ -345,12 +345,19 @@ Valid options are:
*SSL_fingerprint*
-: Fingerprint of the server certificate (or its public key) in the
- form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm
- (by default `sha256`).
+: Fingerprint of the server certificate's Subject Public Key Info, in
+ the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by
+ default `sha256`).
Attempting to connect to a server with a non-matching certificate
- fingerprint causes `interimap` to abort the connection during the
- SSL/TLS handshake.
+ SPKI fingerprint causes `interimap` to abort the connection during
+ the SSL/TLS handshake.
+
+ You can use the following command to compute the SHA-256 digest of
+ certificate's Subject Public Key Info.
+
+ openssl x509 -in /path/to/server/certificate.pem -pubkey \
+ | openssl pkey -pubin -outform DER \
+ | openssl dgst -sha256
*SSL_verify*
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index a899831..7a1ba34 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -1539,8 +1539,8 @@ sub _ssl_verify($$$) {
my $type = Net::SSLeay::EVP_get_digestbyname($algo)
or $self->_ssl_error("Can't find MD value for name '$algo'");
- if (Net::SSLeay::X509_digest($cert, $type) ne $digest and
- Net::SSLeay::X509_pubkey_digest($cert, $type) ne $digest) {
+ my $pkey = Net::SSLeay::X509_get_X509_PUBKEY($cert);
+ unless (defined $pkey and Net::SSLeay::EVP_Digest($pkey, $type) eq $digest) {
$self->warn("Fingerprint doesn't match! MiTM in action?");
$ok = 0;
}
diff --git a/pullimap.md b/pullimap.md
index 06e5988..cb2a07a 100644
--- a/pullimap.md
+++ b/pullimap.md
@@ -210,12 +210,19 @@ Valid options are:
*SSL_fingerprint*
-: Fingerprint of the server certificate (or its public key) in the
- form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm
- (by default `sha256`).
+: Fingerprint of the server certificate's Subject Public Key Info, in
+ the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by
+ default `sha256`).
Attempting to connect to a server with a non-matching certificate
- fingerprint causes `pullimap` to abort the connection during the
- SSL/TLS handshake.
+ SPKI fingerprint causes `pullimap` to abort the connection during
+ the SSL/TLS handshake.
+
+ You can use the following command to compute the SHA-256 digest of
+ certificate's Subject Public Key Info.
+
+ openssl x509 -in /path/to/server/certificate.pem -pubkey \
+ | openssl pkey -pubin -outform DER \
+ | openssl dgst -sha256
*SSL_verify*