[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] Fingerprints do not match - how to fix??



Hi John!

On Tue, 26 Jan 2016 23:19:44 -0500, John Hudak wrote:
> When I have the following in the mstmprc file: tls_trust_file
> /etc/ssl/certs/ca-certificates.crt
> I get the following error:
> cannot load trust file /etc/ssl/certs/ca-certificates.crt:
> error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does
> not match

Googling for the error message suggest that this might be an issue with
OpenSSL/FIPS. I am not sure though since I do not use either, and I do
not understand the error message.

However, there may be several workarounds:
- Do not use /etc/ssl/certs/ca-certificates.crt.
  Instead, get https://pki.google.com/roots.pem and use that.
- Do not use a trust file, but use fingerprinting instead.
  Get the fingerprint with --serverinfo (you already did that) and
  use it with --tls-fingerprint. Note that these certificate
  fingerprints are not related to the strange error message you got.
- Use a version of msmtp that uses GnuTLS instead of OpenSSL (that is
  recommended and the default anyway).

Regards,
Martin