[Users] POP3S - SSL Handshake Failures.

ENI info at endeavor-networks.com
Thu Sep 4 07:32:29 CEST 2014

We downloaded gnutls-3.2.16-w32, and utilized a few utilities within
(certtool, gnutls-server, gnutls-cli) to uncover more information.

We used certtool to generate a self-signed CA cert, and a server cert
on a system with CM installed. The certtool "--template=file" option
did not work. 

We connected to gnutls-server, with gnutls-cli, using a loopback IP
(hostname=localhost, cn=localhost).

Server Setup:
gnutls-serv -p 995 --x509cafile x509-ca.pem --x509keyfile
x509-localhost-key.pem --x509certfile x509-localhost.pem

Client Setup:
gnutls-cli -p 995 localhost --x509cafile x509-ca.pem  

A connection from "gnutls-cli" resulted in the following server console

* Successful handshake from IPv4 port 2722
- Description: (TLS1.2)-(RSA)-(AES-128-GCM)
- Session ID: C2:33:DF:B1:DE:54:31:<redacted>
- Given server name[1]: localhost
No certificates found!
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-GCM
- Compression: NULL
- Channel binding 'tls-unique': f16229<redacted>
- Peer did not send any certificate.

We configured claws-mail-3.10.1-pkg56 (Win32) to connect via the
loopback. A connection from CM resulted in the following server console

* Successful handshake from IPv4 port 2723
- Description: (SSL3.0)-(RSA)-(AES-128-CBC)-(SHA1)
- Session ID: B7:9D:B2:37:C9:DA:06:<redacted>
No certificates found!
- Version: SSL3.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- Compression: NULL
- Channel binding 'tls-unique': 50d870<redacted>
- Peer did not send any certificate.

The connection established was SSL3.0 rather than TLS1.x. We used the
debug option with gnutls-server. There was no evidence of CM (Win32)
attempting to use TLS.

The GnuTLS .DLLs within "claws-mail-3.10.1-pkg56" are substantially
smaller than those within the oldest available (gnutls-3.2.9-w32)
"GnuTLS for Windows" package from gnutls.org.

It appears that the CM (Win32) installation does not support TLS when
the "Use SSL for POP3 Connection" option is enabled for POP3.

We only see CM (Win32) attempting to connect to our hosted server with
SSL, and failing to do so.

We've concluded that our service provider has recently dropped support
for SSL on the server, even though they have not yet acknowledged so.


More information about the Users mailing list