diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-12-01 14:26:37 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-12-01 14:26:37 +0100 |
commit | b399fbee737ebe99491bf1370002bbff00a784e0 (patch) | |
tree | ab00dc6b6e97ad8f8cabedbac71a4c5361a81833 | |
parent | 986edff592c159cb9057e960f380057ff06da939 (diff) |
"fingerprint" now only pins the cert's SPKI, not the cert itself.
-rw-r--r-- | interimap.md | 17 | ||||
-rw-r--r-- | lib/Net/IMAP/InterIMAP.pm | 4 | ||||
-rw-r--r-- | pullimap.md | 17 |
3 files changed, 26 insertions, 12 deletions
diff --git a/interimap.md b/interimap.md index 7d119ab..b923933 100644 --- a/interimap.md +++ b/interimap.md @@ -345,12 +345,19 @@ Valid options are: *SSL_fingerprint* -: Fingerprint of the server certificate (or its public key) in the - form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm - (by default `sha256`). +: Fingerprint of the server certificate's Subject Public Key Info, in + the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by + default `sha256`). Attempting to connect to a server with a non-matching certificate - fingerprint causes `interimap` to abort the connection during the - SSL/TLS handshake. + SPKI fingerprint causes `interimap` to abort the connection during + the SSL/TLS handshake. + + You can use the following command to compute the SHA-256 digest of + certificate's Subject Public Key Info. + + openssl x509 -in /path/to/server/certificate.pem -pubkey \ + | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 *SSL_verify* diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm index a899831..7a1ba34 100644 --- a/lib/Net/IMAP/InterIMAP.pm +++ b/lib/Net/IMAP/InterIMAP.pm @@ -1539,8 +1539,8 @@ sub _ssl_verify($$$) { my $type = Net::SSLeay::EVP_get_digestbyname($algo) or $self->_ssl_error("Can't find MD value for name '$algo'"); - if (Net::SSLeay::X509_digest($cert, $type) ne $digest and - Net::SSLeay::X509_pubkey_digest($cert, $type) ne $digest) { + my $pkey = Net::SSLeay::X509_get_X509_PUBKEY($cert); + unless (defined $pkey and Net::SSLeay::EVP_Digest($pkey, $type) eq $digest) { $self->warn("Fingerprint doesn't match! MiTM in action?"); $ok = 0; } diff --git a/pullimap.md b/pullimap.md index 06e5988..cb2a07a 100644 --- a/pullimap.md +++ b/pullimap.md @@ -210,12 +210,19 @@ Valid options are: *SSL_fingerprint* -: Fingerprint of the server certificate (or its public key) in the - form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm - (by default `sha256`). +: Fingerprint of the server certificate's Subject Public Key Info, in + the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by + default `sha256`). Attempting to connect to a server with a non-matching certificate - fingerprint causes `pullimap` to abort the connection during the - SSL/TLS handshake. + SPKI fingerprint causes `pullimap` to abort the connection during + the SSL/TLS handshake. + + You can use the following command to compute the SHA-256 digest of + certificate's Subject Public Key Info. + + openssl x509 -in /path/to/server/certificate.pem -pubkey \ + | openssl pkey -pubin -outform DER \ + | openssl dgst -sha256 *SSL_verify* |