Re: [fetchmail-users] Invalid SSL certificate

[Matthias A. <mat...@gm...>]

Phillip Susi schrieb:

> I can force fetchmail to not use ssl at all and it works, but I'd like 
> it to use ssl.  I have managed to successfully connect to the server 
>>from my windows machine running thunderbird, and I have packet captures 
> of the conversation and compared them to the packet capture from 
> fetchmail.  It appears that for fetchmail, the server closes the 
> connection after sending the certificate, but I notice that it 
> negotiates a different cipher than thunderbird, which works. 
> Thunderbird negotiates the TLS_RSA_WITH_RC4_128_MD5 ( 0x0004 ) cipher, 
> but fetchmail does not list this as a cipher it supports in its client 
> HELLO frame, so the server answers with 
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA ( 0x0016 ) as the negotiated cipher, 
> then the next frame it sends its certificate and a two alerts, one 
> fatal, one a warning, both saying Close Notify.
> 
> This leads me to believe that the server does not like any of the 
> ciphers that fetchmail supports.  Does this make sense, and how can I 
> get fetchmail to use the TLS_RSA_WITH_RC4_128_MD5 cipher?

1. Fetchmail does not offer direct control over the supported ciphers, but
you might want to try --sslproto SSL3  (or SSL2; SSL23 is the default, no
need to try that) to see if that improves your situation.

2. Can I ask you to file a BerliOS bug report against fetchmail stating
that fetchmail does not report SSL negotiation errors properly using
ERR_error_string(3ssl), and a pointer to this subject?

Thanks.

Best regards
Matthias Andree