[Users] Certificates... [was: GMail is really aggravating today...]

Pierre Fortin pf at pfortin.com
Mon Oct 3 18:39:40 CEST 2016


Findings so far...  can anyone help out with a clue stick(s)?

Certificates on mail check (gmail) contain the following links (from
wireshark trace). Important to note that I got the same results on
successful and failing mail checks[0]:
- http://pki.google.com/GIAG2.crt certificate file [1] [6]
- http://clients1.google.com/ocsp Online Certificate Status Protocol[2]
- http://pki.google.com/GIAG2.crl certificate file [4]
- http://g.symcd.com returns 5-byte file: <8_random_chars>.ors [5]
- http://g.symcb.com/crls/gtglobal.crl certificate file
- http://crl.geotrust.com/crls/secureca.crl changes occasionally[3]
- https://www.geotrust.com/resources/repository root cert website

[0] I have 2 CM instance with 3 active GMail accounts each (several
    inactive). I don't understand how one [random] gmail account fails
    randomly while the others in the same scan work...

[1] Returns "already installed" when accessed via Firefox 
[2] returns 404 error; BUT...  see Note below 
[3] small file (347 bytes) -- internal timestamp+? changes

Note: http://searchsecurity.techtarget.com/definition/OCSP indicates that
OCSP is superseding CRL (Certificate Revocation List). 

Is this something CM has to address, or automatically via a lib?

I then compared this to LuxSci.com (email service I pay for); IMNSHO, they
do a WAY better job for email than Google.

- http://gn.symcb.com/gn.crl  certificate file [4]
- https://www.geotrust.com/resources/repository/legal root cert website
- http://gn.symcd.com returns 5-byte file: <8_random_chars>.ors [5]
- http://gn.symcb.com/gn.crt certificate file [6]
- http://g1.symcb.com/crls/gtglobal.crl certificate file
- http://g2.symcb.com returns a .ors file
- http://www.geotrust.com/resources/cps resolves to above legal link

[4] the LuxSci crl file is ~ 10 times larger than the GMail crl.  These
    files vary depending on source:
    $ ll *crl
    -rw-rw-r--    13212 Oct  3 10:06 GIAG2.crl
    -rw-rw-r--   122137 Oct  3 11:36 gn.crl
    -rw-rw-r--      347 Oct  3 10:12 secureca.crl
[5] all .ors files are identical
[6] .crt files are identical

Aside: I have 3 gmail accounts on my Android phone in K-9 MUA, and it has
not seen any such problem in the same time period. Same network, DNS,
etc... For completeness, I had switched to OpenDNS servers about the same
time this started. Now using google DNS ( & and still
seeing the problem.

Any other suggestions to help track down this:
  "Signature status: No certificate issuer found"?

I have no problem digging; but a road sign(s) would help...

Thanks & HTH,

PS Both CM instances use only POP3 (so does my K-9).

On Sun, 2 Oct 2016 20:46:37 -0400 Pierre Fortin wrote:

>I've been running 2 instances of CM for many years.  In case it matters,
>today, I updated from 3.14.0-87 to 3.14.0-106. Until now, CM has been
>quietly accepting GMail's toggling SSL certs. Now, CM has been stalling
>on both instances waiting for Accept and save to be clicked.
>So...  in one instance, I set ALL accounts to:
>   ssl_certs_auto_accept=0
>and ALL the accounts in the other instance to:
>   ssl_certs_auto_accept=1
>and both instances are still displaying the SSL cert dialogs.  I've
>probably hit Accept and save over 50 times today...  :P
>Looking at the .claws-mail/certs files, only the pop.gmail.com.* files
>have been updated today.  The smtp ones were last touched in Feb and Sept
>Attached image of simultaneous cert dialogs and the settings at the time.

More information about the Users mailing list