From owner-freebsd-questions@FreeBSD.ORG Sun Aug 15 20:36:27 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EB6591065672 for ; Sun, 15 Aug 2010 20:36:27 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id A2D448FC12 for ; Sun, 15 Aug 2010 20:36:27 +0000 (UTC) Received: from beta.local (unknown [80.150.105.138]) by mail.locolomo.org (Postfix) with ESMTPSA id 65E5D1C0871 for ; Sun, 15 Aug 2010 22:36:26 +0200 (CEST) Message-ID: <4C684FC8.7040509@locolomo.org> Date: Sun, 15 Aug 2010 22:36:24 +0200 From: Erik Norgaard User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <201008151938.o7FJc7vD001866@mist.nodomain> In-Reply-To: <201008151938.o7FJc7vD001866@mist.nodomain> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: fetchmail ssl certificate verification problem in FreeBSD 8.1 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Aug 2010 20:36:28 -0000 On 15/08/10 21.38, Dan Strick wrote: > I can get rid of the message by removing the ssl option from the user > line but then fetchmail would not even try to use ssl. Why would the > old fetchmail be better able to verify the server's ssl certificate? > Has openssl changed? Where is the openssl certificate directory and why > should the information needed to verify the server's certificate be > found on my machine? Doesn't the openssl library contain something > like a hardwired list of well known certificate authority systems? A little bit of searching around I found this (I don't know since when): # less /usr/src/crypto/openssl/certs/README.RootCerts The OpenSSL project does not (any longer) include root CA certificates. Please check out the FAQ: * How can I set up a bundle of commercial root CA certificates? The FAQ is here: /usr/src/crypto/openssl/FAQ Also, you might find this interesting: http://fetchmail.berlios.de/fetchmail-man.html#19 Check your fetchmail settings for sslcertck, maybe it's a compile time option to enable this by default. Fetchmail depends on ca_root_nss, check that one too. BR, Erik