ATT's sbcglobal.net PDP3 uses SSL certificates. Ever since it was discovered that their email was vulnerable to attack because they hadn't regularly updated their SSL certificate, they now do so "super" regularly (multiple time a day apparently). Claws issues a warning for each change: ---------------------------------------------------- SLL certificate changed Certificate for inbound att.net has changed Do you want to accept it? Signature status: Correct > View Certificates --------------------------------------------------- Both old and new certificate signers are: Name: VeriSign Class 3 Secure Server CA - G3 Organization: VeriSign\. Inc. Location: US This signature status of the new Certificate is: "Correct" And expires on: 04/25/15 (Sat) 16:59 Claws waits for a response: Cancel connection or Accept and save There should be an option to automatically "Accept and save" if the status of a new certificate is "correct". It would be best if this were done on an account by account basis (Most vendors change certificates rarely). As is is now, I have to turn off processing of sbcglobal.net (att.net) so that when I'm away from my desk, processing of all my other accounts can proceed w/o delay. I then have to turn processing of sbcglobal.net on and "Get Mail" to pick up my AT&T mail - and then turn it off again.
this was actually implemented in GIT some 9 hours before your request.
Alright!!! Thanks. Almost ESP ;) Will update from GIT...
Upgraded via Git to: version 3.10.0-11-gfe5dbb In Account: Set SSL to Automatically accept unknown valid SSL certificates Set Use non-blocking SSL When the certificate is changed, I still get" ----------------------------------------------- "SSL certificate changed" Certificate for inbound.att.net has changed Do you want to accept it? Signature status: No Certificate issuer found ----------------------------------------------- I answer Yes/Save Here's the certificate detail: ----------------------------------------------- Known certificate Owner Name: inbound.att.net Organization: AT&T Services\, Inc. Location: Southfield, US Signer Name: VeriSign Class 3 Secure Server CA-G3 Organization: VeriSign, Inc. Location: US Fingerprint: MD5: AB:6E:6F:8F:9C:FD:CB:C8:2F:B7:D2:E2:B5:7E:88:43 SHA1: 8A:C0:8B:B9:81:EE:E7:B9:54:45:DA:C8:4D:1E:22:D4:EC:F8:7F:CD Signature Status: Correct Expires on: 04/25/15 (Sat) 16:59 New Certificate Same as above except Fingerprint: MD5: 6E:C5:05:18:0A:1A:13:41:E4:B4:1A:10:2F:E7:38:A9 SHA1: 8A:B1:C8:10:FE:85:EF:36:E0:A5:ED:28:EB:4E:91:FA:A0:93:4F:21 Signature Status: No certificate issuer found Expires on: 09/29/14 (Mon) 16:59 -------------------------------------------------- So, unfortunately, the issue still exists.
Hi, This is due to "Signature Status: No certificate issuer found" As the certificate is invalid, you get the confirmation. It is possible that it is wrongly invalid if you have an old Libetpan (if using IMAP).
(In reply to comment #4) > Hi, > > This is due to "Signature Status: No certificate issuer found" > > As the certificate is invalid, you get the confirmation. > > It is possible that it is wrongly invalid if you have an old Libetpan (if > using IMAP). Hi Colin, I'm using PDP3(SSL) and SSL for SMTP. I keep my system up-to-date - but I'll check out Libetpan (although I'm not using IMAP). While AT&T in perfect, historically I've not found their certificates invalid. Also, I'll start taking snapshots of their certificates - just in case they are sending the SAME certificate - and even though I say "Save it", it's not being saved an/or accepted because it looks "invalid".
Sentence should have been "While AT&T is not perfect..."
According to the openssl CLI, there's really a problem with their cert: $ openssl s_client -host inbound.att.net -port 995 CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net Mail 2/CN=inbound.att.net i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFMTCCBBmgAwIBAgIQYWI0F4xFlNIRefG3cdT8MzANBgkqhkiG9w0BAQUFADCB tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwNDI0 MDAwMDAwWhcNMTUwNDI1MjM1OTU5WjCBhjELMAkGA1UEBhMCVVMxETAPBgNVBAgT CE1pY2hpZ2FuMRMwEQYDVQQHFApTb3V0aGZpZWxkMRwwGgYDVQQKFBNBVCZUIFNl cnZpY2VzLCBJbmMuMRcwFQYDVQQLFA5hdHQubmV0IE1haWwgMjEYMBYGA1UEAxQP aW5ib3VuZC5hdHQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA pNDTlR6owPRIIx1Q7NvfFkk8Y2BiXZPcWOkJHit2yzpdn6tRCNU51sYV4bHIUX6d iwoH7D27FGMKRjR9CHVbqSO+zpLDQ6QK3i3SNTe3Xts8YWdxUAsFgs4uxmMkzW8+ o2Pci3Z/T/haoljGh1XfdspvPEKKrgg8EC2VagFwiIxmQ8+h6abOZQ9ud23fIuqI AJkgO5dW3dQ19pM2uprBdGilK/+OqRH3DKYIXCBENYtHFR+Y1uzxMzF0aWcToPdN YX7SmCy6lmWeYHwBBGDHJGzu2DrNvYSQXWJ9YOdR7GYGUWEJUGosPqmTAp1jYWS0 OJS4OmBUL4PGWaFeMUMH/wIDAQABo4IBaDCCAWQwGgYDVR0RBBMwEYIPaW5ib3Vu ZC5hdHQubmV0MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjBlBgNVHSAEXjBcMFoGCmCGSAGG+EUBBzYwTDAj BggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIw GRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAUDURcFlNEwYJ+ HSCrJfQBY9i+eaUwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NkLnN5bWNiLmNv bS9zZC5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc2Qu c3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc2Quc3ltY2IuY29tL3NkLmNy dDANBgkqhkiG9w0BAQUFAAOCAQEAKZwxhBOUkYCie5jvsLnt+2sFs7owMZFMwQqL 6ZPuRz6/bHDKTImNQtWBAuQjmLsaulks8miGYN2rMNpt2wepWiSOTTxnYDK34YQY P4bHS5vGD1qNUktCql72RWrDWOQgRe3klA42Uznc3lGAUT29abOGmh0kV72hgqEv EaKiO1xH8H3UHsIa/FETCsWYTQyYJZld/4UABQz6VMuDiYFbaJog6/7pkPh9wFRn jNeYnyDJrnq9vjeCfIiBPyijK+Xga0fCMeWDlj40UvdLIfJ1ziQjrZaNC6tw9/vd Db/BTef3fMIEUpWf49bH4uAf02vdhzrc/moplHQpvJSjBs6L/Q== -----END CERTIFICATE----- subject=/C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net Mail 2/CN=inbound.att.net issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- No client certificate CA names sent --- SSL handshake has read 4399 bytes and written 831 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 67321ACBF88FB1D4D70DE8BD0A96FF09E0642B7C8A6A65B89D66EEB6E47F7647 Session-ID-ctx: Master-Key: 8AA9033C4191D0F0E79EB9E32457CC273B78324007CA1EA396384B941D623BD29EFE778D644834133D9E77414D8D936D Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 3b ad 64 2a c1 0b 0d 4d-67 e0 5f ab c4 99 20 3e ;.d*...Mg._... > 0010 - 68 d0 40 6e 11 a0 f6 f5-44 f7 e2 ac 42 38 2f 97 h.@n....D...B8/. 0020 - e9 4c 55 d7 c8 e9 19 11-47 65 f6 ed a6 93 d5 65 .LU.....Ge.....e 0030 - 94 62 d4 68 79 2b 52 4e-4a 3e ea 0d 65 c1 9b d7 .b.hy+RNJ>..e... 0040 - ad d0 f1 95 e4 37 0b d4-d2 28 7f 3e 6b a7 a3 6e .....7...(.>k..n 0050 - fb 08 c4 eb 00 a5 9f 76-69 33 39 63 00 30 58 c1 .......vi39c.0X. 0060 - 4c 5f 3c a8 f1 84 a2 d7-11 6f a6 1d 95 d3 fe 87 L_<......o...... 0070 - ac b0 c5 38 b5 2d af 99-8a 52 70 95 b2 f9 67 07 ...8.-...Rp...g. 0080 - 1f a6 07 dc 4e fa 83 c2-e9 cb 40 ac fd 84 f8 6f ....N.....@....o 0090 - ec 06 39 7f 4d 7e 03 84-2e 2b d8 36 75 9a 1f c6 ..9.M~...+.6u... Start Time: 1401460590 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- +OK hello from popgate-0.8.0.504347 pop112.sbc.mail.bf1.yahoo.com quit +OK
How weird. When I try I get: ------------------------------------------------------- openssl s_client -host inbound.att.net -port 995 CONNECTED(00000003) depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3 verify return:1 depth=0 C = US, ST = Michigan, L = Southfield, O = "AT&T Services, Inc.", OU = att.net Mail 2, CN = inbound.att.net verify return:1 --- Certificate chain 0 s:/C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net Mail 2/CN=inbound.att.net i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFMTCCBBmgAwIBAgIQYWI0F4xFlNIRefG3cdT8MzANBgkqhkiG9w0BAQUFADCB tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwNDI0 MDAwMDAwWhcNMTUwNDI1MjM1OTU5WjCBhjELMAkGA1UEBhMCVVMxETAPBgNVBAgT CE1pY2hpZ2FuMRMwEQYDVQQHFApTb3V0aGZpZWxkMRwwGgYDVQQKFBNBVCZUIFNl cnZpY2VzLCBJbmMuMRcwFQYDVQQLFA5hdHQubmV0IE1haWwgMjEYMBYGA1UEAxQP aW5ib3VuZC5hdHQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA pNDTlR6owPRIIx1Q7NvfFkk8Y2BiXZPcWOkJHit2yzpdn6tRCNU51sYV4bHIUX6d iwoH7D27FGMKRjR9CHVbqSO+zpLDQ6QK3i3SNTe3Xts8YWdxUAsFgs4uxmMkzW8+ o2Pci3Z/T/haoljGh1XfdspvPEKKrgg8EC2VagFwiIxmQ8+h6abOZQ9ud23fIuqI AJkgO5dW3dQ19pM2uprBdGilK/+OqRH3DKYIXCBENYtHFR+Y1uzxMzF0aWcToPdN YX7SmCy6lmWeYHwBBGDHJGzu2DrNvYSQXWJ9YOdR7GYGUWEJUGosPqmTAp1jYWS0 OJS4OmBUL4PGWaFeMUMH/wIDAQABo4IBaDCCAWQwGgYDVR0RBBMwEYIPaW5ib3Vu ZC5hdHQubmV0MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjBlBgNVHSAEXjBcMFoGCmCGSAGG+EUBBzYwTDAj BggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIw GRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAUDURcFlNEwYJ+ HSCrJfQBY9i+eaUwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NkLnN5bWNiLmNv bS9zZC5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc2Qu c3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc2Quc3ltY2IuY29tL3NkLmNy dDANBgkqhkiG9w0BAQUFAAOCAQEAKZwxhBOUkYCie5jvsLnt+2sFs7owMZFMwQqL 6ZPuRz6/bHDKTImNQtWBAuQjmLsaulks8miGYN2rMNpt2wepWiSOTTxnYDK34YQY P4bHS5vGD1qNUktCql72RWrDWOQgRe3klA42Uznc3lGAUT29abOGmh0kV72hgqEv EaKiO1xH8H3UHsIa/FETCsWYTQyYJZld/4UABQz6VMuDiYFbaJog6/7pkPh9wFRn jNeYnyDJrnq9vjeCfIiBPyijK+Xga0fCMeWDlj40UvdLIfJ1ziQjrZaNC6tw9/vd Db/BTef3fMIEUpWf49bH4uAf02vdhzrc/moplHQpvJSjBs6L/Q== -----END CERTIFICATE----- subject=/C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net Mail 2/CN=inbound.att.net issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- No client certificate CA names sent --- SSL handshake has read 4399 bytes and written 831 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 3542C018AE96BBA11E2831793DD7A2657D0902B5753D1FA0AA2DE7A322494E7C Session-ID-ctx: Master-Key: 0EA3A949E8865DAA5F33199A902C44328666E16968B4F48C529110DD81A685FCD1A748165FBF91169A9E41A0DE6CF30C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 08 31 c0 0e d0 f6 02 ea-b7 b7 bc 1c 17 fb 5d 96 .1............]. 0010 - 9c 5e 94 39 51 16 7c aa-17 ec 6f 2e 6d 31 59 d9 .^.9Q.|...o.m1Y. 0020 - 61 4e f0 31 63 5a 21 db-bd 34 ff 2c 4e 17 65 b5 aN.1cZ!..4.,N.e. 0030 - 77 62 14 f9 5c 66 5e 31-a5 c1 01 d8 72 38 51 42 wb..\f^1....r8QB 0040 - f1 50 eb f8 f1 d5 f0 19-b6 a3 9a 47 aa fb 83 4e .P.........G...N 0050 - 6b 9a 03 06 18 d9 a7 80-36 9a ce 15 95 5b 81 96 k.......6....[.. 0060 - 88 8f a6 d9 22 5e 41 6a-7c 2e 8c 50 39 a5 40 9e ...."^Aj|..P9.@. 0070 - 63 52 ba 31 e6 ed 77 b4-94 d8 35 80 44 a7 4e b2 cR.1..w...5.D.N. 0080 - 89 c6 f7 4a 49 6e 53 e2-11 3a f2 da bd fb e0 e0 ...JInS..:...... 0090 - 90 fe 3d 16 43 ba f0 eb-3d 97 ab a4 32 46 9c bf ..=.C...=...2F.. Start Time: 1401463718 Timeout : 300 (sec) Verify return code: 0 (ok) --- +OK hello from popgate-0.8.0.504347 pop103.sbc.mail.ne1.yahoo.com read:errno=0 ------------------------------------------------------------------ Which looks O.K.to me I'm using OpenSSL 1.0.1g 7 Apr 2014
Updated version to GIT since I'm running: 3.10.0-11-gfe5dbb
Is this still an issue for you with the latest version of libetpan? Re-open if it is. Thanks.
Have been testing it today on an account that had previously failed - and have not seen the problem re-occur. If it does fail, I'll let you know ;)