| 1 |
Fetchmail client-side SSL support |
| 2 |
================================= |
| 3 |
|
| 4 |
Preface |
| 5 |
------- |
| 6 |
|
| 7 |
Note: there is a separate document "README.SSL-SERVER" describing the server- |
| 8 |
side requirements for proper SSL support. It has checklist-style and is not |
| 9 |
specific to fetchmail. |
| 10 |
|
| 11 |
In case of troubles, mail the README.SSL-SERVER file to your ISP and |
| 12 |
have them check their server configuration against it. |
| 13 |
|
| 14 |
Unfortunately, fetchmail confuses SSL/TLS protocol levels with whether |
| 15 |
a service needs to use in-band negotiation (STLS/STARTTLS for POP3/IMAP4) or is |
| 16 |
totally SSL-wrapped on a separate port. For compatibility reasons, this cannot |
| 17 |
be fixed in a bugfix release. |
| 18 |
|
| 19 |
-- Matthias Andree, 2009-05-09 |
| 20 |
|
| 21 |
|
| 22 |
Quickstart |
| 23 |
---------- |
| 24 |
|
| 25 |
For use of SSL or TLS with in-band negotiation on the regular service's port, |
| 26 |
i. e. with STLS or STARTTLS, use these command line options |
| 27 |
|
| 28 |
--sslproto tls1 --sslcertck |
| 29 |
|
| 30 |
or these options in the rcfile (after the respective "user"... options) |
| 31 |
|
| 32 |
sslproto tls1 sslcertck |
| 33 |
|
| 34 |
|
| 35 |
For use of SSL or TLS on a separate port, if the whole TCP connection is |
| 36 |
SSL-encrypted from the very beginning, use these command line options (in the |
| 37 |
rcfile, omit all leading "--"): |
| 38 |
|
| 39 |
--ssl --sslproto ssl3 --sslcertck |
| 40 |
|
| 41 |
or these options in the rcfile (after the respective "user"... options) |
| 42 |
|
| 43 |
ssl sslproto ssl3 sslcertck |
| 44 |
|
| 45 |
|
| 46 |
Background and use (long version :-)) |
| 47 |
------------------ |
| 48 |
|
| 49 |
Using fetchmail's "ssl" option, you can have the data transferred between you |
| 50 |
and the server in an encrypted form, so that eavesdropping should become |
| 51 |
practically impossible. |
| 52 |
|
| 53 |
This works as follows: the server has a key pair (a secret and a public key), |
| 54 |
and it sends the client its public key. Messages encrypted with the public key |
| 55 |
can be decrypted using the private one and vice versa. |
| 56 |
|
| 57 |
A symmetric session key (symmetric means that the same key is used for |
| 58 |
encryption and decryption) can now be agreed upon by the two parties using the |
| 59 |
secure channel the key pair builds. The session key is now used to encrypt the |
| 60 |
traffic. |
| 61 |
|
| 62 |
In the fetchmail case, the client can now authenticate itself to the server by |
| 63 |
using the usual POP/IMAP/whatever authentication mechanisms. |
| 64 |
|
| 65 |
However, so called man-in-the-middle attacks are still possible: in such |
| 66 |
a setting, an attacker pretends to be the server, and thus can e.g. get your |
| 67 |
authentication information if you do not use a challenge based authentication |
| 68 |
mechanism (because it is thought to be the real server, fetchmail will try to |
| 69 |
authenticate against it by telling it your password). |
| 70 |
|
| 71 |
So, not only do you need to prove your identity to the server, the |
| 72 |
server likewise needs to prove (authenticate) its identity to you. |
| 73 |
In the standard setting, the server has a certificate (the client can have |
| 74 |
a certificate too to prove its identity, but this is not covered by this |
| 75 |
document). This certificate contains the server's public key, some data about |
| 76 |
the server, and a digital signature and data about the signer. |
| 77 |
Digital signatures can also be made using a key pair as described earlier. |
| 78 |
|
| 79 |
To check this certificate, you should use the new option "sslcertck". When it |
| 80 |
is specified, the signature of the server certificate is checked against local |
| 81 |
trusted certificates to see whether the owner of one of the certificates has |
| 82 |
signed that server certificate, and if so, whether the signature is valid. |
| 83 |
So, if the server certificate is signed by a Certification Authority (CA), |
| 84 |
you put the CA's certificate into a directory where you keep trusted |
| 85 |
certificates, and point fetchmail to it. Fetchmail will then accept |
| 86 |
certificates signed by the owner of that certificate with the private key |
| 87 |
belonging to the public key in the certificate. |
| 88 |
You can specify this path using the "sslcertpath" option if it is |
| 89 |
different from the one OpenSSL uses by default. |
| 90 |
|
| 91 |
The idea is that the CA only gives certificates to entities whose identity it |
| 92 |
has checked and verified (and in this case, that the server name you specify |
| 93 |
does belong to it). So, if you trust the CA's verification process, you can be |
| 94 |
reasonably sure that if a certificate is signed by the CA, it really belongs to |
| 95 |
the server and owner that it claims to. |
| 96 |
|
| 97 |
Certificates are only valid in a certain time window, so your system clock |
| 98 |
should be reasonably accurate when checking certificates. |
| 99 |
|
| 100 |
Additionally, CAs keep Certificate Revocation Lists (CRLs) in which they note |
| 101 |
the certificates that are to be treated as invalid (e.g. because the server |
| 102 |
name has changed, another certificate was granted, or even because the |
| 103 |
certificate was not granted to the rightful owner). |
| 104 |
|
| 105 |
The certificate directory must be hashed in a way OpenSSL expects it: each time |
| 106 |
you modify a file in that directory or add a file to it, you need to use the |
| 107 |
"c_rehash" perl script that comes with OpenSSL (in the tools/ subdirectory, in |
| 108 |
case that it is not installed). Additionally, you might need to convert the |
| 109 |
certificates to different formats (the PEM format is expected and usually is |
| 110 |
available, DER is another one; you can convert between both using the |
| 111 |
openssl(1) utility's x509 sub-mode). |
| 112 |
|
| 113 |
The really paranoid (who chose to not trust a CA) can check the fingerprint of |
| 114 |
the public key that is used by the server. The fingerprint is a hash of that |
| 115 |
key that (hopefully) has few collisions and is hard to attack using a "birthday |
| 116 |
attack", i.e. nobody can generate a second key that hashes to the same value of |
| 117 |
the original key in reasonable time. So, if the fingerprint matches, you can be |
| 118 |
reasonably sure that you are talking to the original server, because |
| 119 |
only that server knows the secret key, and it is very hard to generate a |
| 120 |
matching secret key from the public key. If the fingerprint does not |
| 121 |
match, there might be an attack, but, before panicking, keep in mind |
| 122 |
that the server key may also have changed legitimately. |
| 123 |
|
| 124 |
Fetchmail will present the fingerprint to you in verbose mode. You can have |
| 125 |
fetchmail check the fingerprint (using the "sslfingerprint" option, and giving |
| 126 |
the desired fingerprint as an argument). |
| 127 |
|
| 128 |
The fingerprints fetchmail uses are MD5 sums. You can generate them e.g. using |
| 129 |
openssl(1)'s "x509 -fingerprint" command. The format is a hexadecimal string |
| 130 |
with a ":" separating two bytes (i.e. a ":" between every two hex "digits"). The |
| 131 |
match is case insensitive since release 6.3.10 (upper-case digits A to F were |
| 132 |
required up to and including release 6.3.9). |
| 133 |
|
| 134 |
*CAVEAT*: OpenSSL must be at least version 0.9.7 to be able to check CRLs. |
| 135 |
|
| 136 |
- Thomas Moestl <tmoestl@gmx.net> |
| 137 |
- Matthias Andree |
