[Users] Certificates... [was: GMail is really aggravating today...]
pf at pfortin.com
Mon Oct 3 18:39:40 CEST 2016
Findings so far... can anyone help out with a clue stick(s)?
Certificates on mail check (gmail) contain the following links (from
wireshark trace). Important to note that I got the same results on
successful and failing mail checks:
- http://pki.google.com/GIAG2.crt certificate file  
- http://clients1.google.com/ocsp Online Certificate Status Protocol
- http://pki.google.com/GIAG2.crl certificate file 
- http://g.symcd.com returns 5-byte file: <8_random_chars>.ors 
- http://g.symcb.com/crls/gtglobal.crl certificate file
- http://crl.geotrust.com/crls/secureca.crl changes occasionally
- https://www.geotrust.com/resources/repository root cert website
 I have 2 CM instance with 3 active GMail accounts each (several
inactive). I don't understand how one [random] gmail account fails
randomly while the others in the same scan work...
 Returns "already installed" when accessed via Firefox
 returns 404 error; BUT... see Note below
 small file (347 bytes) -- internal timestamp+? changes
Note: http://searchsecurity.techtarget.com/definition/OCSP indicates that
OCSP is superseding CRL (Certificate Revocation List).
Is this something CM has to address, or automatically via a lib?
I then compared this to LuxSci.com (email service I pay for); IMNSHO, they
do a WAY better job for email than Google.
- http://gn.symcb.com/gn.crl certificate file 
- https://www.geotrust.com/resources/repository/legal root cert website
- http://gn.symcd.com returns 5-byte file: <8_random_chars>.ors 
- http://gn.symcb.com/gn.crt certificate file 
- http://g1.symcb.com/crls/gtglobal.crl certificate file
- http://g2.symcb.com returns a .ors file
- http://www.geotrust.com/resources/cps resolves to above legal link
 the LuxSci crl file is ~ 10 times larger than the GMail crl. These
files vary depending on source:
$ ll *crl
-rw-rw-r-- 13212 Oct 3 10:06 GIAG2.crl
-rw-rw-r-- 122137 Oct 3 11:36 gn.crl
-rw-rw-r-- 347 Oct 3 10:12 secureca.crl
 all .ors files are identical
 .crt files are identical
Aside: I have 3 gmail accounts on my Android phone in K-9 MUA, and it has
not seen any such problem in the same time period. Same network, DNS,
etc... For completeness, I had switched to OpenDNS servers about the same
time this started. Now using google DNS (22.214.171.124 & 126.96.36.199) and still
seeing the problem.
Any other suggestions to help track down this:
"Signature status: No certificate issuer found"?
I have no problem digging; but a road sign(s) would help...
Thanks & HTH,
PS Both CM instances use only POP3 (so does my K-9).
On Sun, 2 Oct 2016 20:46:37 -0400 Pierre Fortin wrote:
>I've been running 2 instances of CM for many years. In case it matters,
>today, I updated from 3.14.0-87 to 3.14.0-106. Until now, CM has been
>quietly accepting GMail's toggling SSL certs. Now, CM has been stalling
>on both instances waiting for Accept and save to be clicked.
>So... in one instance, I set ALL accounts to:
>and ALL the accounts in the other instance to:
>and both instances are still displaying the SSL cert dialogs. I've
>probably hit Accept and save over 50 times today... :P
>Looking at the .claws-mail/certs files, only the pop.gmail.com.* files
>have been updated today. The smtp ones were last touched in Feb and Sept
>Attached image of simultaneous cert dialogs and the settings at the time.
More information about the Users