The --no-check-certificate does not "EXPLICITLY SWITCH OFF TRANSPORT SECURITY"...it just allows the communication to proceed even when handshake fails
Which _EXACTLY_ means NO SECURITY - at this point anybody in the middle can send his own cert and so has taken over the encrypted channel.
it does even has a MD5 checksum verification
This doesn't add any security whatsoever, just protects against accidental file transfer errors.
due to an error/mismatch or something wierd about the site and the certificate it presents.
It's a server misconfiguration - get yourself an competent operator.
Your current one obviously is overburdened with that job.
I'm not a security expert so could you please explain me how this is a security risk?
The session key handshake is encrypted with the server's pubkey/privkey (which is found in the cert).
As the server's pubkey usually isn't known at client side, it's signed by an CA (the signature is also in the cert).
If the cert cannot be verified, anybody in the middle can replace it with it's own one and so pretend being
the real server and serve anything it likes. In your case, that fake server would send a patched libssl.so binary
which contains certain backdoors to compromise the target machine.
Voila! dozens of Zimbra instances, running in hi profile large organisations easily taken over and having
full access to their mail traffic.
I'll appreciate any help because as I said, I'm not a security expert and it would be very helpful for me to understand why you see this as such a critical thing.
Oh, that's really new for your company - your devs usually reject all contributions and just spend their time
with giving silly excuses for doing dumb things. One of the dumb things is bundling an own openssl instance
in the first place - just use the one already provided by the distros, they'll cope with security issues, and they're
pretty fast with that. But your devs answer such advices with silly rants against the distros.
In any case and trying to give revanth1226 more help, as I see in the script the error you mention is the response of getting the wrong exit status from this command.
Maybe the version parsing fails somewhere, or some file's missing on the server.
Redirecting all wget output to /dev/null is really counter-productive here.
@revanth1226: can you post your `zmcontrol -v` output ?
The whole script looks like it's written by an 1st-grader (at least my code looked like this back when I was in that age).
Hard to read, inrobust, no diagnosis, ... would be okay for an hobbyist who's just doing his first programming experiments,
but not acceptable from some payed sw-developer.
Actually, the whole approach of replacing single files by such scripts is a totally dumb idea in the first place.
The correct way is to just to do a fresh rebuild and publish the new packages in a proper (signed!) repo.
I tried discussing that with your devs, but turned out as a waste of my precious time.