Am 02.01.22 um 11:54 schrieb Karsten:
Am 01.01.22 um 17:53 schrieb László Böszörményi (GCS):
On Sat, Jan 1, 2022 at 2:30 PM Karsten <deb...@decotrain.de> wrote:
But it would be helpful for others what must be done to create and install this new
"client side certificate" that
appears about 2018?
I think the certificate issue was there right from the beginning.
Definitely no. Mails where fetched for about 5 years without any problem.
Untrue. Messages were fetched without proper protection from
MITM/eavesdropping attacks, unless you were using *other* options to
ensure authenticity of the server. Which I doubt, else you would have
asked specific questions about fetchmail options.
I'm caring about safety and privacy, that's the reason encryption with private
certificates are used.
Nonsense. That's the reason why fetchmail 6.4.0 finally broke
compatibility with broken sites and finally (far too late) enforces
proper X.509 certificate chains to so-called trust anchors.
In this case the original private certificate from the server is needed?
Why a client must have additional files now to access an server
No. That's the wrong question to ask. Do not ask "why they are needed
now", but "why have older fetchmail versions made proper trust
verification optional" for so many years.
And another question to ask is "why do users ignore manuals and NEWS
files of the applications they use"
And a third one, to third parties and outside of this bug's context "how
do we get proper yet concise certificate trust management documentation
in prominent places?".
One half is really OpenSSL basic usage and how to maintain its trust
store, and one half is, sorry to be so blunt, a half-baked approach at
trying to be your own CA without knowing what you are doing.
Fetchmail's expectation is that the server-presented single self-signed
certificate, or normally certificate chain, traces back to a root
signing certificate that is "trusted" and is installed in your local
computer's OpenSSL trust store (the one running fetchmail), and trusted
in a way that it properly verifies the sub-CAs it authenticates with
respect to the policies and practices they implement. But this is all
OpenSSL trust handling and, again, not specific to fetchmail.
