"fingerprint" now only pins the cert's SPKI, not the cert itself.

diff --git a/interimap.md b/interimap.md
index 7d119ab8e8260e8916c8ff7266d0a2cce59374ec..b923933f8cd99f8f30596bf0eba77b55c45f6833 100644 (file)
--- a/interimap.md
+++ b/interimap.md
@@ -345,12 +345,19 @@ Valid options are:
 
 *SSL_fingerprint*
 
-:   Fingerprint of the server certificate (or its public key) in the
-    form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm
-    (by default `sha256`).
+:   Fingerprint of the server certificate's Subject Public Key Info, in
+    the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by
+    default `sha256`).
     Attempting to connect to a server with a non-matching certificate
-    fingerprint causes `interimap` to abort the connection during the
-    SSL/TLS handshake.
+    SPKI fingerprint causes `interimap` to abort the connection during
+    the SSL/TLS handshake.
+
+    You can use the following command to compute the SHA-256 digest of
+    certificate's Subject Public Key Info.
+
+        openssl x509 -in /path/to/server/certificate.pem -pubkey \
+        | openssl pkey -pubin -outform DER \
+        | openssl dgst -sha256
 
 *SSL_verify*
 

diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index a899831fb34a428681cad9d1958a87c7386e8f2b..7a1ba3424a568c0d5b4bdba829939dddae81f1fc 100644 (file)
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -1539,8 +1539,8 @@ sub _ssl_verify($$$) {
             my $type = Net::SSLeay::EVP_get_digestbyname($algo)
                 or $self->_ssl_error("Can't find MD value for name '$algo'");
 
-            if (Net::SSLeay::X509_digest($cert, $type) ne $digest and
-                Net::SSLeay::X509_pubkey_digest($cert, $type) ne $digest) {
+            my $pkey = Net::SSLeay::X509_get_X509_PUBKEY($cert);
+            unless (defined $pkey and Net::SSLeay::EVP_Digest($pkey, $type) eq $digest) {
                 $self->warn("Fingerprint doesn't match!  MiTM in action?");
                 $ok = 0;
             }

diff --git a/pullimap.md b/pullimap.md
index 06e5988e9884804267e6e6e4877d97a424dabfdb..cb2a07ab73cbd1861245cc2cbfe91ca1ddf0ce7e 100644 (file)
--- a/pullimap.md
+++ b/pullimap.md
@@ -210,12 +210,19 @@ Valid options are:
 
 *SSL_fingerprint*
 
-:   Fingerprint of the server certificate (or its public key) in the
-    form `[ALGO$]DIGEST_HEX`, where `ALGO` is the used algorithm
-    (by default `sha256`).
+:   Fingerprint of the server certificate's Subject Public Key Info, in
+    the form `[ALGO$]DIGEST_HEX` where `ALGO` is the used algorithm (by
+    default `sha256`).
     Attempting to connect to a server with a non-matching certificate
-    fingerprint causes `pullimap` to abort the connection during the
-    SSL/TLS handshake.
+    SPKI fingerprint causes `pullimap` to abort the connection during
+    the SSL/TLS handshake.
+
+    You can use the following command to compute the SHA-256 digest of
+    certificate's Subject Public Key Info.
+
+        openssl x509 -in /path/to/server/certificate.pem -pubkey \
+        | openssl pkey -pubin -outform DER \
+        | openssl dgst -sha256
 
 *SSL_verify*