I
installed msmtp on opensuse 13.2 using yast from the package repository. My msmtprc file looks like:
defaults
tls on
tls_starttls on
#tls_trust_file /etc/ssl/certs/ca-certificates.crt
tls_certcheck off
account default
host smtp.gmail.com
port 587
auth on
user me@...423...0...
password my_pw
from me@...424.....
logfile /var/log/msmtp.log
When I have the following in the mstmprc file: tls_trust_file /etc/ssl/certs/ca-certificates.crtdefaults
tls on
tls_starttls on
#tls_trust_file /etc/ssl/certs/ca-certificates.crt
tls_certcheck off
account default
host smtp.gmail.com
port 587
auth on
user me@...423...0...
password my_pw
from me@...424.....
logfile /var/log/msmtp.log
cannot load trust file /etc/ssl/certs/ca-certificates.crt: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match
If I comment out the line and add tls_certcheck off, the program works, e.g. I get mail at gmail.
On the opensuse side I updated the following certs from the repository:
cd-certificates
ca-certificates-cacert
cd-certificates-mozilla
mozilla-nss
mozilla-nss-certs
From the CL I issued:
msmtp --serverinfo --tls --tls-certcheck=off
and got:
SMTP server at smtp.gmail.com (qm-in-f108.1e100.net [173.194.205.108]), port 587:
smtp.gmail.com ESMTP f3sm1907217qge.44 - gsmtp
TLS certificate information:
Owner:
Common Name: smtp.gmail.com
Organization: Google Inc
Locality: Mountain View
State or Province: California
Country: US
Issuer:
Common Name: Google Internet Authority G2
Organization: Google Inc
Country: US
Validity:
Activation time: Fri 15 Jan 2016 07:12:17 AM EST
Expiration time: Wed 13 Apr 2016 08:00:00 PM EDT
Fingerprints:
SHA1: D0:7E:B3:BB:1D:1C:72:A5:89:41:42:AA:4F:24:CC:F5:3A:8B:45:D0
MD5: E3:02:FE:B1:5E:09:08:85:07:5F:1E:78:79:9E:63:C4
Capabilities:
SIZE 35882577:
Maximum message size is 35882577 bytes = 34.22 MiB
PIPELINING:
Support for command grouping for faster transmission
STARTTLS:
Support for TLS encryption via the STARTTLS command
AUTH:
Supported authentication methods:
PLAIN LOGIN
msmtp --serverinfo --tls --tls-certcheck=off
and got:
SMTP server at smtp.gmail.com (qm-in-f108.1e100.net [173.194.205.108]), port 587:
smtp.gmail.com ESMTP f3sm1907217qge.44 - gsmtp
TLS certificate information:
Owner:
Common Name: smtp.gmail.com
Organization: Google Inc
Locality: Mountain View
State or Province: California
Country: US
Issuer:
Common Name: Google Internet Authority G2
Organization: Google Inc
Country: US
Validity:
Activation time: Fri 15 Jan 2016 07:12:17 AM EST
Expiration time: Wed 13 Apr 2016 08:00:00 PM EDT
Fingerprints:
SHA1: D0:7E:B3:BB:1D:1C:72:A5:89:41:42:AA:4F:24:CC:F5:3A:8B:45:D0
MD5: E3:02:FE:B1:5E:09:08:85:07:5F:1E:78:79:9E:63:C4
Capabilities:
SIZE 35882577:
Maximum message size is 35882577 bytes = 34.22 MiB
PIPELINING:
Support for command grouping for faster transmission
STARTTLS:
Support for TLS encryption via the STARTTLS command
AUTH:
Supported authentication methods:
PLAIN LOGIN
So the fingerprints are basically a checksum....yea, OK but I don't know how to fix this problem....I am a novice in security/cert mgmt, Can someone tell me what needs to be done to resolve the issue?Thanks
J