Bug 3222 - failure to respond to SSL Certificate change results in UI hang
Summary: failure to respond to SSL Certificate change results in UI hang
Status: RESOLVED INVALID
Alias: None
Product: Claws Mail
Classification: Unclassified
Component: POP3 (show other bugs)
Version: 3.11.0
Hardware: PC Linux
: P3 normal
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2014-07-09 23:09 CEST by Pierre Fortin
Modified: 2014-07-10 16:09 CEST (History)
1 user (show)

See Also:


Attachments
gmail certs (62.09 KB, image/jpeg)
2014-07-10 00:41 CEST, Pierre Fortin
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre Fortin 2014-07-09 23:09:09 CEST
Earlier today, I updated to 3.10.1-121 and fired up 2 instances as usual.  Then, after ~1.5 hours away from system, came back to dialogs about new gmail SSL certificates, so I accepted.  On one instance, CM status bar is now showing:
"Account '<gmail_account>': Connecting to POP3 server: pop.gmail.com:995..."

The UI is unresponsive.  Connected strace and get lots of output as I move the mouse across the CM window; but CM still hung...

Oh GREAT!!!  Now, the other instance is hung on a gmail account...
Comment 1 Pierre Fortin 2014-07-09 23:25:51 CEST
Interesting...  restarted one instance, got another SSL certificate dialog for a gmail account and CM locked up again even though I Acked it within a few seconds...
Comment 2 trinsnet 2014-07-09 23:53:43 CEST
I've got 3.10.1-2 on Debian Testing (Jessie) and I'm getting some GMail SSL certificate change notifications similar to yours. If I accept the new cert it works fine. If I am away from the computer and I accept the cert when I get back then I get errors because the POP connection timed out. After the errors are cleared up it checks other accounts, but it does not come back to GMail (I must check it manually).

I am not having any trouble with hanging/crashing. I only run one instance at a time.

Maybe that information can assist you in testing (update your application).
Comment 3 trinsnet 2014-07-10 00:01:23 CEST
(In reply to comment #2)
> I've got 3.10.1-2 on Debian Testing (Jessie) and I'm getting some GMail SSL
> certificate change notifications similar to yours. If I accept the new cert
> it works fine. If I am away from the computer and I accept the cert when I
> get back then I get errors because the POP connection timed out. After the
> errors are cleared up it checks other accounts, but it does not come back to
> GMail (I must check it manually).
> 
> I am not having any trouble with hanging/crashing. I only run one instance
> at a time.
> 
> Maybe that information can assist you in testing (update your application).

They seem to be switching between these two certs (almost every time I check my mail I get prompted to save the 'new' cert):
http://www.zimagez.com/zimage/screenshot-080714-062305pm.php
http://www.zimagez.com/zimage/screenshot-080714-060328pm.php
Comment 4 trinsnet 2014-07-10 00:19:31 CEST
(In reply to comment #2)
> I've got 3.10.1-2 on Debian Testing (Jessie) and I'm getting some GMail SSL
> certificate change notifications similar to yours. If I accept the new cert
> it works fine. If I am away from the computer and I accept the cert when I
> get back then I get errors because the POP connection timed out. After the
> errors are cleared up it checks other accounts, but it does not come back to
> GMail (I must check it manually).
> 
> I am not having any trouble with hanging/crashing. I only run one instance
> at a time.
> 
> Maybe that information can assist you in testing (update your application).

veuillez m’excuser... there is no need to update your application. ><
Comment 5 Pierre Fortin 2014-07-10 00:41:11 CEST
Created attachment 1414 [details]
gmail certs

I captured this screen shot of both my CM instances SSL certs.  I'm not familiar with the rules for handling these; but I noticed that the toggling certs bounce back and forth between 2 specific certs.  Closer inspection shows that one is set to expire 09/01/14 and the other 09/29/14...  

When a "new" cert's expiration date is sooner, would it be acceptable to ignore it and keep the current, longer lasting one?  Probably a dumb question... :)
Comment 6 Charles A Edwards 2014-07-10 01:06:28 CEST
You know you that under SSL in the Account setting you can set it to automatically
accept Valid but unknown certificates.

I have a little used gmail account set-up as pop3 Not imap and I have never had an issue with the with the certificates with clawse set to "accept Valid but unknown certificates".
 
   Charles
Comment 7 trinsnet 2014-07-10 03:40:19 CEST
(In reply to comment #6)
> You know you that under SSL in the Account setting you can set it to
> automatically
> accept Valid but unknown certificates.
> 
> I have a little used gmail account set-up as pop3 Not imap and I have never
> had an issue with the with the certificates with clawse set to "accept Valid
> but unknown certificates".
>  
>    Charles

You can set 'accept valid but unknown certs' as Charles recommends above or you can change the server to pop.googlemail.com - it seems to have a 'stable' cert. 
Note that if you change the server then your mail will redownload (assuming it is still on the server) and you'll have some de-duplication to do.
Comment 8 trinsnet 2014-07-10 04:18:26 CEST
(In reply to comment #7)
> (In reply to comment #6)
> > You know you that under SSL in the Account setting you can set it to
> > automatically
> > accept Valid but unknown certificates.
> > 
> > I have a little used gmail account set-up as pop3 Not imap and I have never
> > had an issue with the with the certificates with clawse set to "accept Valid
> > but unknown certificates".
> >  
> >    Charles
> 
> You can set 'accept valid but unknown certs' as Charles recommends above or
> you can change the server to pop.googlemail.com - it seems to have a
> 'stable' cert. 
> Note that if you change the server then your mail will redownload (assuming
> it is still on the server) and you'll have some de-duplication to do.

I'm getting the same problem with pop.googlemail.com now
Comment 9 Pierre Fortin 2014-07-10 16:03:07 CEST
OK...  it's possible an SSL dialog was on another desktop... :P  Based on the ridiculous number of dialogs I'm having to accept, I think that is most likely what initially happened...

Anyway, the gmail cert issue is driving me nuts because I have multiple gmail accounts on each CM instance and each account goes through this...  :P :P


Ah...  Thanks Charles!  That seems to have stopped the issue...   I've unchecked one account to see if the cert changes have stopped...


Questions:  

"Automatically accept unknown valid SSL certificates" seems oxymoronic...  In the screen shot, they appear valid and 'known' (however that might be defined)...  Could this be better worded?  Maybe: "Automatically accept valid SSL certificates" -- what's "unknown" about these gmail certs?

From comment 5: When a "new" cert's expiration date is sooner, would it be acceptable[1] to ignore it and keep the current, longer lasting one? [without requiring an option?]

[1] Tried reading part of RFC5426; but I don't have enough experience with certs to grok it.