Menu
▾
▴
fetchmail-users
|
From: Phillip S. <ps...@ir...> - 2007-07-13 17:26:35
|
My ISP recently migrated to a new pop server and they have not figured out how to configure a proper SSL certificate. The one that is installed is a dummy test certificate which is self signed and has the wrong CN. This causes fetchmail to bail out with SSL errors. Is there a way to direct fetchmail to ignore the problems with the certificate and proceed anyhow? |
|
From: Matthias A. <mat...@gm...> - 2007-07-13 17:52:33
|
Phillip Susi schrieb: > My ISP recently migrated to a new pop server and they have not figured > out how to configure a proper SSL certificate. The one that is > installed is a dummy test certificate which is self signed and has the > wrong CN. This causes fetchmail to bail out with SSL errors. Is there > a way to direct fetchmail to ignore the problems with the certificate > and proceed anyhow? Omit the "sslcertck" option from command line AND .fetchmailrc file and also omit the "sslfingerprint" option and its argument, if you use(d) it. Without sslcertck and sslfingerprint, fetchmail should complain but continue, but the best option is to urge them to get a proper certificate or at least provide their root signing certficate for download. |
|
From: Phillip S. <ps...@ir...> - 2007-07-13 18:47:18
|
Matthias Andree wrote: > Omit the "sslcertck" option from command line AND .fetchmailrc file and > also omit the "sslfingerprint" option and its argument, if you use(d) it. I don't use these options. Is there a way to explicitly negate those options? > Without sslcertck and sslfingerprint, fetchmail should complain but > continue, but the best option is to urge them to get a proper certificate > or at least provide their root signing certficate for download. It is a self signed certificate and I even tried capturing the certificate using openssl s_connect, following the instructions I found at http://www.dns.net/andras/computer/ssl-fetchmail.html, but fetchmail still errors out because the CN does not match the hostname. |
|
From: Matthias A. <mat...@gm...> - 2007-07-13 20:41:01
|
Phillip Susi schrieb: > Matthias Andree wrote: >> Omit the "sslcertck" option from command line AND .fetchmailrc file and >> also omit the "sslfingerprint" option and its argument, if you use(d) it. > > I don't use these options. Is there a way to explicitly negate those > options? No need, these are disabled by default. > It is a self signed certificate and I even tried capturing the > certificate using openssl s_connect, following the instructions I found > at http://www.dns.net/andras/computer/ssl-fetchmail.html, but fetchmail > still errors out because the CN does not match the hostname. It should complain, but continue - providing the server doesn't crash or abort. The fetchmail -vv --nosyslog -Nd0 output should shed some light on the issue. HTH Matthias |
|
From: Phillip S. <ps...@ir...> - 2007-07-16 20:39:37
|
Matthias Andree wrote: > See the socket error? Apparently the server drops the connection. > > Try 6.3.8 - the non-SSL fallback is fixed there (at the expense of not > encrypting the connection though, so don't do that over WLAN with just WEP > or via public access networks). I can force fetchmail to not use ssl at all and it works, but I'd like it to use ssl. I have managed to successfully connect to the server from my windows machine running thunderbird, and I have packet captures of the conversation and compared them to the packet capture from fetchmail. It appears that for fetchmail, the server closes the connection after sending the certificate, but I notice that it negotiates a different cipher than thunderbird, which works. Thunderbird negotiates the TLS_RSA_WITH_RC4_128_MD5 ( 0x0004 ) cipher, but fetchmail does not list this as a cipher it supports in its client HELLO frame, so the server answers with TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA ( 0x0016 ) as the negotiated cipher, then the next frame it sends its certificate and a two alerts, one fatal, one a warning, both saying Close Notify. This leads me to believe that the server does not like any of the ciphers that fetchmail supports. Does this make sense, and how can I get fetchmail to use the TLS_RSA_WITH_RC4_128_MD5 cipher? |
|
From: Matthias A. <mat...@gm...> - 2007-07-17 15:11:07
|
Phillip Susi schrieb: > I can force fetchmail to not use ssl at all and it works, but I'd like > it to use ssl. I have managed to successfully connect to the server >>from my windows machine running thunderbird, and I have packet captures > of the conversation and compared them to the packet capture from > fetchmail. It appears that for fetchmail, the server closes the > connection after sending the certificate, but I notice that it > negotiates a different cipher than thunderbird, which works. > Thunderbird negotiates the TLS_RSA_WITH_RC4_128_MD5 ( 0x0004 ) cipher, > but fetchmail does not list this as a cipher it supports in its client > HELLO frame, so the server answers with > TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA ( 0x0016 ) as the negotiated cipher, > then the next frame it sends its certificate and a two alerts, one > fatal, one a warning, both saying Close Notify. > > This leads me to believe that the server does not like any of the > ciphers that fetchmail supports. Does this make sense, and how can I > get fetchmail to use the TLS_RSA_WITH_RC4_128_MD5 cipher? 1. Fetchmail does not offer direct control over the supported ciphers, but you might want to try --sslproto SSL3 (or SSL2; SSL23 is the default, no need to try that) to see if that improves your situation. 2. Can I ask you to file a BerliOS bug report against fetchmail stating that fetchmail does not report SSL negotiation errors properly using ERR_error_string(3ssl), and a pointer to this subject? Thanks. Best regards Matthias Andree |
|
From: Phillip S. <ps...@ir...> - 2007-07-17 20:23:10
|
Matthias Andree wrote: > 1. Fetchmail does not offer direct control over the supported ciphers, but > you might want to try --sslproto SSL3 (or SSL2; SSL23 is the default, no > need to try that) to see if that improves your situation. > > 2. Can I ask you to file a BerliOS bug report against fetchmail stating > that fetchmail does not report SSL negotiation errors properly using > ERR_error_string(3ssl), and a pointer to this subject? I will go file that bug report on launchpad now. In the mean time, I have recompiled openssl with support for the TLS_RSA_WITH_RC4_128_MD5 ( 0x0004 ) cipher, but fetchmail still has its connection rejected. When comparing the CLIENT HELLO SSL frames sent by thunderbird and fetchmail, I see that fetchmail offers a few additional ciphers that thunderbird does not, and support for zlib compression, which thunderbird does not. The only thing I see that thunderbird is sending that fetchmail is not, is an extension header of type server_name (0x0000). Would it be possible to have fetchmail send this extension as well? |
|
From: Phillip S. <ps...@ir...> - 2007-07-16 17:34:29
|
Matthias Andree wrote: > It should complain, but continue - providing the server doesn't crash or > abort. The fetchmail -vv --nosyslog -Nd0 output should shed some light on > the issue. Looks to me like the SSL layer is indeed refusing to negotiate the connection due to the name mismatch and self signedness of the server cert. Then it looks like the server fails or something when fetchmail tries to fall back to non SSL mode. fetchmail: 6.3.4 querying xxx.com (protocol POP3) at Mon 16 Jul 2007 11:24:47 AM EDT: poll started fetchmail: POP3< +OK POP3 server ready. fetchmail: POP3> CAPA fetchmail: POP3< +OK Capability list follows fetchmail: POP3< TOP fetchmail: POP3< USER fetchmail: POP3< RESP_CODES fetchmail: POP3< PIPELINING fetchmail: POP3< EXPIRE NEVER fetchmail: POP3< UIDL fetchmail: POP3< STLS fetchmail: POP3< . fetchmail: POP3> STLS fetchmail: POP3< +OK Begin TLS negotiation fetchmail: Server certificate verification error: self signed certificate in certificate chain fetchmail: Issuer Organization: Openwave Systems, Inc. fetchmail: Issuer CommonName: Certificate Authority fetchmail: Server CommonName: InterMail Test Certificate fetchmail: Server CommonName mismatch: InterMail Test Certificate != xxx.com fetchmail: xxx.com key fingerprint: 3C:99:E5:5E:97:64:F8:6A:2E:3E:AE:39:9C:4A:08:26 21087:error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1057:SSL alert number 0 fetchmail: xxx.com: opportunistic upgrade to TLS failed, trying to continue. fetchmail: Unknown login or authentication error on xxx.com fetchmail: socket error while fetching from ps...@xx... fetchmail: 6.3.4 querying xxx.com (protocol POP3) at Mon 16 Jul 2007 11:24:47 AM EDT: poll completed fetchmail: Query status=2 (SOCKET) fetchmail: Deleting fetchids file. fetchmail: normal termination, status 2 fetchmail: Deleting fetchids file. |
|
From: Matthias A. <mat...@gm...> - 2007-07-16 17:50:10
|
Phillip Susi schrieb: > Looks to me like the SSL layer is indeed refusing to negotiate the > connection due to the name mismatch and self signedness of the server > cert. Then it looks like the server fails or something when fetchmail > tries to fall back to non SSL mode. > > fetchmail: 6.3.4 querying xxx.com (protocol POP3) at Mon 16 Jul 2007 > 11:24:47 AM EDT: poll started ... > fetchmail: POP3< . > fetchmail: POP3> STLS > fetchmail: POP3< +OK Begin TLS negotiation ... > fetchmail: xxx.com: opportunistic upgrade to TLS failed, trying to continue. > fetchmail: Unknown login or authentication error on xxx.com > fetchmail: socket error while fetching from ps...@xx... > fetchmail: 6.3.4 querying xxx.com (protocol POP3) at Mon 16 Jul 2007 > 11:24:47 AM EDT: poll completed > fetchmail: Query status=2 (SOCKET) See the socket error? Apparently the server drops the connection. Try 6.3.8 - the non-SSL fallback is fixed there (at the expense of not encrypting the connection though, so don't do that over WLAN with just WEP or via public access networks). HTH Matthias |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X