On Wed, 7 Mar 2012, Craig Sanders wrote:
On Tue, Mar 06, 2012 at 10:13:20PM +0000, James Harper wrote:
fetchmail: Server certificate verification error: self signed certificate fetchmail: Server certificate verification error: certificate has expired
If you want the error go to away then turn off TLS.
you're telling him to misconfigure fetchmail so that it sends his login and password in clear text over the internet. bad advice.
The only thing you are getting out of it is encryption, but that's of little value when you have no idea that you are communicating with the right server, which is the whole point of TLS/SSL.
Wrong on both points. encryption alone is incredibly valuable, and encryption is the whole point of TLS/SSL. identify verification is a secondary, and e
Lots of goodstuff cutout
Judgement is required of the end-user. Unfortunately, this is another way of saying "we're all doomed, PKI is hopelessly compromised" :)
craig
Thanks all for the responses they have been most helpfull. I did a "fetchmail -v" and it seems my ISP has enabled TLS without any kind of announcement. A point before i discuss this further, I all most __NEVER__ (excuse the shouting) do business to a faceless anything, I always require somekind of shopfront and/or person I can directly deal with. It would be safe to say the only transactions I have carried out on the net is to get Debian from some of the very kind people on this list. 99.7% of my email will be to one particular address, I of course do not need to say which one. As to TLS Craig and at least one other has pointed out what I consider to be the serious flaw here. Now some time back I did a good deal of study on PGP and that kind of thing. Inspite of the great hype going I almost at once came up with its most serious flaw, how do you know if the public key is valid and is not the result of some kind of forgery. Downloading a key off the net is no security at all. For instance how do I know the public key to one of the Debian disributions required be Secure APT has not been forged, the answer is I do not. All this key proves is the distibution is effectively all one but not its origin. I have looked at the mathematics and I will grant here that the public and the private key defintely go togther, but that is not the problem here. As far as I am concerned securing a link to a mail server by a public availble key is effectively no security and as I have indicated above I would never trust such a link. Gets off soap box ;-), I am currently studing the Fetchmail FAQ and RFC2595 and will see how I go, the easist path is to simply disable TLS, I will though do some more study. many thanks for the help, Lindsay