Closed
Bug 107167
Opened 23 years ago
Closed 22 years ago
pop3/imap/smtp ssl will not work with locally-signed certs
Categories
(MailNews Core :: Networking, defect)
MailNews Core
Networking
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: sluggo, Assigned: mscott)
Details
Attachments
(1 file)
|
3.46 KB,
text/plain
|
Details |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.5) Gecko/20011011 BuildID: 2001101117 On a test server, I'm running qpopper 4.0.3 which was compiled with openssl. I have it set to listen on port 995 for pop3s connections. Eudora 5 will download mail from it (over SSL) fine, but Mozilla gives me the following error: "You cannot connect to jinx.unknown.nu because of as unknown SSL error (-8182)" I'm pretty sure this is happening for one of two reasons: Either there is some sort of incompatability with the qpopper daemon for SSL, or; Mozilla is upset because I signed my certs myself rather than having Verisign or whoever do it. I suspect it's the latter; however, without more specific debugging information I can't tell for sure. I'm not sure how to get it to tell me more. Reproducible: Always Steps to Reproduce: 1. Set up a server running qpopper 4.0.3-ssl 2. Sign the certs yourself on said server 3. Attempt to POP your mail on the server with "secure" selected in the Mozilla mail server properties. Actual Results: I got the error ""You cannot connect to jinx.unknown.nu because of as unknown SSL error (-8182)". Expected Results: Warned me that the authenticity of the cert could not be established, and asked me if I wanted to continue; then, after I clicked "yes", downloaded my mail normally. Unfortunately, the server is only networked internally right now; otherwise, I'd be happy to give a developer an account to test it with. I'd be glad to do more extensive debugging tests if somebody can give me some instructions, or point me to a page that has some. If the problem is indeed that the certs are locally signed with a bogus authority, it seems to me that it ought to warn you about the server but let you accept the cert anyway, like it does with https. Anyway, let me know what else I can do.
|
Reporter | |
Comment 1•23 years ago
|
||
I have my server online now, and I'd be glad to give an account for testing purposes to whoever wants to work on this bug. Let me know.
|
||
Comment 2•23 years ago
|
||
Reporter, Can you set up a test account and give the info in the bug to see this problem? thanks
|
|
Reporter | |
Comment 3•23 years ago
|
||
Okay, I've set up a pop-only account on the server. Please let me know when you're done with it so I can remove it. Username: poptest Password: poptest Address: poptest@unknown.nu Server: jinx.unknown.nu
|
|
||
Comment 4•23 years ago
|
||
Reporter, I tried to set up the account with the information below. I am not able to connect to the server without using ssl. Is the outgoing and incoming sever same as jinx.unknown.nu? I do see the error reported here when I checked ssl with the invalid certification error. But I am not able make a connection to the server even without the ssl.
|
|
Reporter | |
Comment 5•23 years ago
|
||
That's probably because I'm not running non-SSL POP3 on there. Will this be a problem in diagnosing? I'd rather not enable unencrypted POP3 but I will if absolutely necessary. If you just want to see if it works, both Eudora 5 and Outlook Express can get the mail off it in SSL mode (OE barks at you, Eudora requires the cert be manually imported). Finally, I could also give you a shell account on there if you like. Obviously, I wouldn't want to give that information in the bug report, but contact me privately and I'll set you up if you think that would be helpful.
|
||
Comment 6•23 years ago
|
||
This bug has more to do with SSL because it is failing when we are trying to make a connection. cc javi/mscott who knows more about SSL
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 7•22 years ago
|
||
FYI: SMTP over SSL also have the same problem. Our cert is also locally signed. However, IMAP over SSL works fine...
|
|
Reporter | |
Comment 8•22 years ago
|
||
Changing summary -- safe to say this is not a qpopper issue.
Summary: pop3 ssl will not work with either qpopper or locally-signed certs, not sure which → pop3 ssl will not work with locally-signed certs
I'm also experiencing the same problem with basically the same setup. qpopper 4.0.3-ssl installed with openssl listening on 995 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1b) Gecko/20020721 it gives the same -8182 SSL error I'm able to connect and get my mail using Microsoft Outlook Express(yuck) At first I had thought it was a problem with my qpopper configuration, so I ran qpopper in debug mode. Here are the syslog messages it gave: Jul 28 02:12:50 garage in.qpopper[12390]: TLS Init [popper.c:202] Jul 28 02:12:50 garage in.qpopper[12390]: Attempting OpenSSL handshake [pop_tls_ openssl.c:498] Jul 28 02:12:52 garage in.qpopper[12390]: tls accept returned 0 [pop_tls_openssl .c:501] Jul 28 02:12:52 garage in.qpopper[12390]: SSL_get_error says SSL_ERROR_SSL (1) [ pop_tls_openssl.c:508] Jul 28 02:12:52 garage in.qpopper[12390]: OpenSSL error during handshake [pop_tl s_openssl.c:545] Jul 28 02:12:52 garage in.qpopper[12390]: ...SSL error: error:14094412:SSL routi nes:SSL3_READ_BYTES:sslv3 alert bad certificate [pop_tls_openssl.c:545] Jul 28 02:12:52 garage in.qpopper[12390]: TLS/SSL Handshake failed: -1 [popper.c :213] Jul 28 02:14:15 garage in.qpopper[12389]: (v4.0.4) Timeout (120 secs) during SSL /TLS handshake with client at 192.168.1.1 (192.168.1.1) [pop_tls_openssl.c:488] Jul 28 02:14:15 garage in.qpopper[12389]: TLS/SSL Handshake failed: -1 [popper.c :213] I hope this helps the developers understand a little bit more about what's going on during the SSL handshake. If you need to connect to my server or anything, let me know and I'll create accounts for it. I'll be happy to help out if you need anything.
|
||
Comment 10•22 years ago
|
||
Error -8182 is "Peer's certificate has an invalid signature." The 8/8/02 trunk build allow importation of SSL certs. Maybe importing the server cert ahead of time will solve this situation.
|
|
Reporter | |
Comment 11•22 years ago
|
||
Importing the cert did not seem to help (unless I'm doing it wrong). I'm using the 20020813 Win32 build. If anyone else manages to get it to work, let me know. It imported fine, but the only options were the certificate could be used to identify web site, e-mail users, or developers. Nothing about mail servers. Still, I checked all three just in case. Doesn't change anything, still get the -8182 error (it's a little more verbose these days, so that's good). Even if this does/will work, I still think it should only be considered a stopgap solution. I also get the same error for IMAP over SSL, so I'm adding that to the summary, along with smtp (per comment 7).
Summary: pop3 ssl will not work with locally-signed certs → pop3/imap/smtp ssl will not work with locally-signed certs
|
|
||
Comment 12•22 years ago
|
||
no more a networking:pop issue. over to general
Assignee: naving → mscott
Component: Networking: POP → Networking: MailNews General
QA Contact: sheelar → huang
|
|
Reporter | |
Comment 13•22 years ago
|
||
Verified under 1.1 on MacOS 9 and FreeBSD, changing the OS.
OS: Windows 98 → All
|
|
Reporter | |
Updated•22 years ago
|
Hardware: PC → All
|
|
||
Comment 14•22 years ago
|
||
|
|
Reporter | |
Comment 15•22 years ago
|
||
Hey! You guys fixed this and didn't tell anyone. I've tested pop3s and imaps under Windows and FreeBSD on 1.1 final release and it's fine now. Well, cool. Thanks very much...
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
|
||
Updated•20 years ago
|
Product: MailNews → Core
|
||
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•