3193 – SSL Certificate changed

Bug 3193 - SSL Certificate changed

Summary: SSL Certificate changed

Status:	RESOLVED FIXED

Alias:	None

Product:	Claws Mail (GTK 2)
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	3.10.1
Hardware:	PC Linux

Importance:	P3 enhancement
Assignee:	users

URL:

Depends on:
Blocks:

Reported:	2014-05-29 07:19 UTC by lbickley
Modified:	2014-07-05 21:41 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description lbickley 2014-05-29 07:19:13 UTC

ATT's sbcglobal.net PDP3 uses SSL certificates. Ever since it was discovered that their email was vulnerable to attack because they hadn't regularly updated their SSL certificate, they now do so "super" regularly (multiple time a day apparently). Claws issues a warning for each change:
----------------------------------------------------
SLL certificate changed

Certificate for inbound att.net has changed
Do you want to accept it?

Signature status: Correct

> View Certificates
---------------------------------------------------
Both old and new certificate signers are:
Name: VeriSign Class 3 Secure Server CA - G3
Organization: VeriSign\. Inc.
Location: US

This signature status of the new Certificate is: "Correct"
And expires on: 04/25/15 (Sat) 16:59

Claws waits for a response:
Cancel connection
or
Accept and save

There should be an option to automatically "Accept and save" if the status of a new certificate is "correct". It would be best if this were done on an account by account basis (Most vendors change certificates rarely).

As is is now, I have to turn off processing of sbcglobal.net (att.net) so that when I'm away from my desk, processing of all my other accounts can proceed w/o delay. I then have to turn processing of sbcglobal.net on and "Get Mail" to pick up my AT&T mail - and then turn it off again.

Comment 1 Paul 2014-05-29 08:19:37 UTC

this was actually implemented in GIT some 9 hours before your request.

Comment 2 lbickley 2014-05-29 15:58:39 UTC

Alright!!! Thanks. Almost ESP ;)
Will update from GIT...

Comment 3 lbickley 2014-05-30 03:31:36 UTC

Upgraded via Git to: version 3.10.0-11-gfe5dbb

In Account:
Set SSL to Automatically accept unknown valid SSL certificates
Set Use non-blocking SSL

When the certificate is changed, I still get"
-----------------------------------------------
"SSL certificate changed"

Certificate for inbound.att.net has changed
Do you want to accept it?

Signature status: No Certificate issuer found
-----------------------------------------------
I answer Yes/Save


Here's the certificate detail:
-----------------------------------------------
Known certificate

Owner
Name: inbound.att.net
Organization: AT&T Services\, Inc.
Location: Southfield, US

Signer

Name: VeriSign Class 3 Secure Server CA-G3
Organization: VeriSign, Inc.
Location: US

Fingerprint: MD5: AB:6E:6F:8F:9C:FD:CB:C8:2F:B7:D2:E2:B5:7E:88:43
             SHA1: 8A:C0:8B:B9:81:EE:E7:B9:54:45:DA:C8:4D:1E:22:D4:EC:F8:7F:CD
Signature Status: Correct
Expires on: 04/25/15 (Sat) 16:59

New Certificate

Same as above except

Fingerprint: MD5: 6E:C5:05:18:0A:1A:13:41:E4:B4:1A:10:2F:E7:38:A9
             SHA1: 8A:B1:C8:10:FE:85:EF:36:E0:A5:ED:28:EB:4E:91:FA:A0:93:4F:21
Signature Status: No certificate issuer found
Expires on: 09/29/14 (Mon) 16:59
--------------------------------------------------

So, unfortunately, the issue still exists.

Comment 4 Colin Leroy 2014-05-30 09:12:27 UTC

Hi,

This is due to "Signature Status: No certificate issuer found"

As the certificate is invalid, you get the confirmation. 

It is possible that it is wrongly invalid if you have an old Libetpan (if using IMAP).

Comment 5 lbickley 2014-05-30 15:43:11 UTC

(In reply to comment #4)
> Hi,
> 
> This is due to "Signature Status: No certificate issuer found"
> 
> As the certificate is invalid, you get the confirmation. 
> 
> It is possible that it is wrongly invalid if you have an old Libetpan (if
> using IMAP).

Hi Colin,

I'm using PDP3(SSL) and SSL for SMTP. I keep my system up-to-date - but I'll check out Libetpan (although I'm not using IMAP).

While AT&T in perfect, historically I've not found their certificates invalid. Also, I'll start taking snapshots of their certificates - just in case they are sending the SAME certificate - and even though I say "Save it", it's not being saved an/or accepted because it looks "invalid".

Comment 6 lbickley 2014-05-30 15:44:35 UTC

Sentence should have been "While AT&T is not perfect..."

Comment 7 Colin Leroy 2014-05-30 16:37:18 UTC

According to the openssl CLI, there's really a problem with their cert:

$ openssl s_client -host inbound.att.net -port 995
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net Mail 2/CN=inbound.att.net
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFMTCCBBmgAwIBAgIQYWI0F4xFlNIRefG3cdT8MzANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwNDI0
MDAwMDAwWhcNMTUwNDI1MjM1OTU5WjCBhjELMAkGA1UEBhMCVVMxETAPBgNVBAgT
CE1pY2hpZ2FuMRMwEQYDVQQHFApTb3V0aGZpZWxkMRwwGgYDVQQKFBNBVCZUIFNl
cnZpY2VzLCBJbmMuMRcwFQYDVQQLFA5hdHQubmV0IE1haWwgMjEYMBYGA1UEAxQP
aW5ib3VuZC5hdHQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
pNDTlR6owPRIIx1Q7NvfFkk8Y2BiXZPcWOkJHit2yzpdn6tRCNU51sYV4bHIUX6d
iwoH7D27FGMKRjR9CHVbqSO+zpLDQ6QK3i3SNTe3Xts8YWdxUAsFgs4uxmMkzW8+
o2Pci3Z/T/haoljGh1XfdspvPEKKrgg8EC2VagFwiIxmQ8+h6abOZQ9ud23fIuqI
AJkgO5dW3dQ19pM2uprBdGilK/+OqRH3DKYIXCBENYtHFR+Y1uzxMzF0aWcToPdN
YX7SmCy6lmWeYHwBBGDHJGzu2DrNvYSQXWJ9YOdR7GYGUWEJUGosPqmTAp1jYWS0
OJS4OmBUL4PGWaFeMUMH/wIDAQABo4IBaDCCAWQwGgYDVR0RBBMwEYIPaW5ib3Vu
ZC5hdHQubmV0MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBlBgNVHSAEXjBcMFoGCmCGSAGG+EUBBzYwTDAj
BggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIw
GRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NkLnN5bWNiLmNv
bS9zZC5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc2Qu
c3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc2Quc3ltY2IuY29tL3NkLmNy
dDANBgkqhkiG9w0BAQUFAAOCAQEAKZwxhBOUkYCie5jvsLnt+2sFs7owMZFMwQqL
6ZPuRz6/bHDKTImNQtWBAuQjmLsaulks8miGYN2rMNpt2wepWiSOTTxnYDK34YQY
P4bHS5vGD1qNUktCql72RWrDWOQgRe3klA42Uznc3lGAUT29abOGmh0kV72hgqEv
EaKiO1xH8H3UHsIa/FETCsWYTQyYJZld/4UABQz6VMuDiYFbaJog6/7pkPh9wFRn
jNeYnyDJrnq9vjeCfIiBPyijK+Xga0fCMeWDlj40UvdLIfJ1ziQjrZaNC6tw9/vd
Db/BTef3fMIEUpWf49bH4uAf02vdhzrc/moplHQpvJSjBs6L/Q==
-----END CERTIFICATE-----
subject=/C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net Mail 2/CN=inbound.att.net
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4399 bytes and written 831 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 67321ACBF88FB1D4D70DE8BD0A96FF09E0642B7C8A6A65B89D66EEB6E47F7647
    Session-ID-ctx: 
    Master-Key: 8AA9033C4191D0F0E79EB9E32457CC273B78324007CA1EA396384B941D623BD29EFE778D644834133D9E77414D8D936D
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 3b ad 64 2a c1 0b 0d 4d-67 e0 5f ab c4 99 20 3e   ;.d*...Mg._... >
    0010 - 68 d0 40 6e 11 a0 f6 f5-44 f7 e2 ac 42 38 2f 97   h.@n....D...B8/.
    0020 - e9 4c 55 d7 c8 e9 19 11-47 65 f6 ed a6 93 d5 65   .LU.....Ge.....e
    0030 - 94 62 d4 68 79 2b 52 4e-4a 3e ea 0d 65 c1 9b d7   .b.hy+RNJ>..e...
    0040 - ad d0 f1 95 e4 37 0b d4-d2 28 7f 3e 6b a7 a3 6e   .....7...(.>k..n
    0050 - fb 08 c4 eb 00 a5 9f 76-69 33 39 63 00 30 58 c1   .......vi39c.0X.
    0060 - 4c 5f 3c a8 f1 84 a2 d7-11 6f a6 1d 95 d3 fe 87   L_<......o......
    0070 - ac b0 c5 38 b5 2d af 99-8a 52 70 95 b2 f9 67 07   ...8.-...Rp...g.
    0080 - 1f a6 07 dc 4e fa 83 c2-e9 cb 40 ac fd 84 f8 6f   ....N.....@....o
    0090 - ec 06 39 7f 4d 7e 03 84-2e 2b d8 36 75 9a 1f c6   ..9.M~...+.6u...

    Start Time: 1401460590
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
+OK hello from popgate-0.8.0.504347 pop112.sbc.mail.bf1.yahoo.com 
quit
+OK

Comment 8 lbickley 2014-05-30 17:34:00 UTC

How weird. When I try I get:
-------------------------------------------------------
openssl s_client -host inbound.att.net -port 995
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1
depth=0 C = US, ST = Michigan, L = Southfield, O = "AT&T Services, Inc.", OU = att.net Mail 2, CN = inbound.att.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net Mail 2/CN=inbound.att.net
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFMTCCBBmgAwIBAgIQYWI0F4xFlNIRefG3cdT8MzANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwNDI0
MDAwMDAwWhcNMTUwNDI1MjM1OTU5WjCBhjELMAkGA1UEBhMCVVMxETAPBgNVBAgT
CE1pY2hpZ2FuMRMwEQYDVQQHFApTb3V0aGZpZWxkMRwwGgYDVQQKFBNBVCZUIFNl
cnZpY2VzLCBJbmMuMRcwFQYDVQQLFA5hdHQubmV0IE1haWwgMjEYMBYGA1UEAxQP
aW5ib3VuZC5hdHQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
pNDTlR6owPRIIx1Q7NvfFkk8Y2BiXZPcWOkJHit2yzpdn6tRCNU51sYV4bHIUX6d
iwoH7D27FGMKRjR9CHVbqSO+zpLDQ6QK3i3SNTe3Xts8YWdxUAsFgs4uxmMkzW8+
o2Pci3Z/T/haoljGh1XfdspvPEKKrgg8EC2VagFwiIxmQ8+h6abOZQ9ud23fIuqI
AJkgO5dW3dQ19pM2uprBdGilK/+OqRH3DKYIXCBENYtHFR+Y1uzxMzF0aWcToPdN
YX7SmCy6lmWeYHwBBGDHJGzu2DrNvYSQXWJ9YOdR7GYGUWEJUGosPqmTAp1jYWS0
OJS4OmBUL4PGWaFeMUMH/wIDAQABo4IBaDCCAWQwGgYDVR0RBBMwEYIPaW5ib3Vu
ZC5hdHQubmV0MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBlBgNVHSAEXjBcMFoGCmCGSAGG+EUBBzYwTDAj
BggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMwJQYIKwYBBQUHAgIw
GRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgwFoAUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDovL3NkLnN5bWNiLmNv
bS9zZC5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vc2Qu
c3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc2Quc3ltY2IuY29tL3NkLmNy
dDANBgkqhkiG9w0BAQUFAAOCAQEAKZwxhBOUkYCie5jvsLnt+2sFs7owMZFMwQqL
6ZPuRz6/bHDKTImNQtWBAuQjmLsaulks8miGYN2rMNpt2wepWiSOTTxnYDK34YQY
P4bHS5vGD1qNUktCql72RWrDWOQgRe3klA42Uznc3lGAUT29abOGmh0kV72hgqEv
EaKiO1xH8H3UHsIa/FETCsWYTQyYJZld/4UABQz6VMuDiYFbaJog6/7pkPh9wFRn
jNeYnyDJrnq9vjeCfIiBPyijK+Xga0fCMeWDlj40UvdLIfJ1ziQjrZaNC6tw9/vd
Db/BTef3fMIEUpWf49bH4uAf02vdhzrc/moplHQpvJSjBs6L/Q==
-----END CERTIFICATE-----
subject=/C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=att.net Mail 2/CN=inbound.att.net
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4399 bytes and written 831 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 3542C018AE96BBA11E2831793DD7A2657D0902B5753D1FA0AA2DE7A322494E7C
    Session-ID-ctx: 
    Master-Key: 0EA3A949E8865DAA5F33199A902C44328666E16968B4F48C529110DD81A685FCD1A748165FBF91169A9E41A0DE6CF30C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 08 31 c0 0e d0 f6 02 ea-b7 b7 bc 1c 17 fb 5d 96   .1............].
    0010 - 9c 5e 94 39 51 16 7c aa-17 ec 6f 2e 6d 31 59 d9   .^.9Q.|...o.m1Y.
    0020 - 61 4e f0 31 63 5a 21 db-bd 34 ff 2c 4e 17 65 b5   aN.1cZ!..4.,N.e.
    0030 - 77 62 14 f9 5c 66 5e 31-a5 c1 01 d8 72 38 51 42   wb..\f^1....r8QB
    0040 - f1 50 eb f8 f1 d5 f0 19-b6 a3 9a 47 aa fb 83 4e   .P.........G...N
    0050 - 6b 9a 03 06 18 d9 a7 80-36 9a ce 15 95 5b 81 96   k.......6....[..
    0060 - 88 8f a6 d9 22 5e 41 6a-7c 2e 8c 50 39 a5 40 9e   ...."^Aj|..P9.@.
    0070 - 63 52 ba 31 e6 ed 77 b4-94 d8 35 80 44 a7 4e b2   cR.1..w...5.D.N.
    0080 - 89 c6 f7 4a 49 6e 53 e2-11 3a f2 da bd fb e0 e0   ...JInS..:......
    0090 - 90 fe 3d 16 43 ba f0 eb-3d 97 ab a4 32 46 9c bf   ..=.C...=...2F..

    Start Time: 1401463718
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK hello from popgate-0.8.0.504347 pop103.sbc.mail.ne1.yahoo.com 
read:errno=0
------------------------------------------------------------------

Which looks O.K.to me

I'm using OpenSSL 1.0.1g 7 Apr 2014

Comment 9 lbickley 2014-06-01 20:04:39 UTC

Updated version to GIT since I'm running: 3.10.0-11-gfe5dbb

Comment 10 Paul 2014-07-05 09:36:53 UTC

Is this still an issue for you with the latest version of libetpan?
Re-open if it is. Thanks.

Comment 11 lbickley 2014-07-05 21:41:24 UTC

Have been testing it today on an account that had previously failed - and have not seen the problem re-occur.

If it does fail, I'll let you know ;)

Note You need to log in before you can comment on or make changes to this bug.