On Sat, Oct 23, 2010 at 12:57:39 -0600, Joseph wrote:
> I used this command to obtain the certificates:
> openssl s_client -connect pop.gmail.com:995 -showcerts
>
> So I assumed the top certificate is Google
> the bottom one is Equifax
> Can anybody verify it? Someone suggested that the bottom one is not Equifax
> certificate.
>
[...]
> Certificate chain
> 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
> i:/C=US/O=Google Inc/CN=Google Internet Authority
[...]
> 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
> i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
There is actually a three-step chain involved. The two you show are
both sent to the fetchmail clientby the GMail server as part of the SSL
negociation process.
You can see that the first one (number 0) is issued to
"CN=pop.gmail.com" (that's the Subject: field), and issued by "CN=Google
Internet Authority".
The second one (number 1) is issued to "CN=Google Internet Authority" by
"OU=Equifax Secure Certificate Authority". Basically, this certificate
tells your fetchmail client that Equifax certifies that it's okay to
trust certificates issued by the Google Internet Authority.
So the question is why should your fetchmail client trust that
Equifax-issued certificate? You do that by configuring the third
certificate as "trusted", in this case by putting it in the directory
specified by --sslcertpath. That third certificate has the Subject of
"C=US, O=Equifax, OU=Equifax Secure Certificate Authority", and thus
there will be a complete unbroken chain from this "trusted" certificate
all the way down to the certificate number 0, with each level's Subject
matching the Issuer of the next level down.
(As Breen Mullins mentioned, you can't have the GMail server send you
all three levels of the chain or you'd just end up trusting whatever
anyone sent you. Instead, you pre-configure the trusted root CAs on the
client, and then the server sends you all the certificates you need to
build the chain from one of those trusted roots down to the end
certificate that that particular server is using.)
Nathan
