diff -Naur claws-mail-3.17.3-orig/src/gtk/sslcertwindow.c claws-mail-3.17.3/src/gtk/sslcertwindow.c
--- claws-mail-3.17.3-orig/src/gtk/sslcertwindow.c	2018-11-07 11:31:50.000000000 +0100
+++ claws-mail-3.17.3/src/gtk/sslcertwindow.c	2019-04-20 11:01:10.004193095 +0200
@@ -70,6 +70,7 @@
 	char *tmp;
 	time_t exp_time_t;
 	struct tm lt;
+	guint ret;
 
 	/* issuer */	
 	issuer_commonname = g_malloc(BUFFSIZE);
@@ -142,13 +143,27 @@
 	} else
 		exp_date = g_strdup("");
 
-	/* fingerprint */
-	n = 128;
-	gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA1, md, &n);
-	sha1_fingerprint = readable_fingerprint(md, (int)n);
-	gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA256, md, &n);
-	sha256_fingerprint = readable_fingerprint(md, (int)n);
+	/* fingerprints */
+	n = 0;
+	memset(md, 0, sizeof(md));
+	if ((ret = gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA1, md, &n)) == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+			if (n <= sizeof(md))
+					ret = gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA1, md, &n);
+	}
+	if (ret != 0)
+			g_warning("failed to obtain SHA1 fingerprint: %d", ret);
+	sha1_fingerprint = readable_fingerprint(md, (int)n); /* all zeroes */
+
+	n = 0;
+	memset(md, 0, sizeof(md));
+	if ((ret = gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA256, md, &n)) == GNUTLS_E_SHORT_MEMORY_BUFFER) {
+			if (n <= sizeof(md))
+					ret = gnutls_x509_crt_get_fingerprint(cert->x509_cert, GNUTLS_DIG_SHA256, md, &n);
+	}
 
+	if (ret != 0)
+			g_warning("failed to obtain SHA256 fingerprint: %d", ret);
+	sha256_fingerprint = readable_fingerprint(md, (int)n); /* all zeroes */
 
 	/* signature */
 	sig_status = ssl_certificate_check_signer(cert, cert->status);