fetchmail ssl certificate verification problem in FreeBSD 8.1

[Dan Strick]

On Mon, 16 Aug 2010 01:57, RW wrote:

> You'd be better off installing security/ca_root_nss otherwise you'll be
> stuck with a stale file.
>
> I don't know why you don't have it, it's a dependency of fetchmail and
> many other ports.

I had it but I didn't know it.  I did discover the file it installed,
/usr/local/share/certs/ca-root-nss.crt, and started to use it for fetchmail
in place of the file from my old FreeBSD system.  After I read the above
note from RW I figured out it referred to a port, that I had the port, that
it was a dependency of fetchmail and had been installed and was probably
the source of the file /usr/local/share/certs/ca-root-nss.crt.

Erik Norgaard also mentioned the port but I didn't understand at the time
that he was referring to a port.  He also mentioned the file
/usr/src/crypto/openssl/FAQ which very briefly discusses the issue and
mentions http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
which describes a mechanism for constructing a root certificate bundle
from some obscure data file apparently produced by the Mozilla project,
but of course I lacked the background to understand these things at the
time.  I still don't understand them very well.

The relevant user options in my .fetchmailrc file are now:
	ssl sslproto SSL3 sslcertck
	sslcertfile /usr/local/share/certs/ca-root-nss.crt
	sslfingerprint "..."

Perhaps since fetchmail installs ca_root_nss as a dependency it should
also default to using the installed ca root bundle file.  Perhaps the
fetchmail port should have produced an installation message that
mentioned these things.  Perhaps the port should patch the fetchmail
man page to suggest using this file with the sslcertfile option.

I have looked very very hard for documentation on this stuff in an
obvious place but have not found any.  Where should I have looked?

Thanks,
Dan Strick
mla_strick at att.net