[gnutls-help] Can't connect to my ISP's mail server using GnuTLS

Darko K. darko.koruga at siol.net
Wed Dec 26 14:05:39 CET 2012

Hi all,

let me start with a bit of a background regarding the problem I am
facing. ISP started enforcing SMTP authentication recently and of
course I want to use the encrypted channel for sending my password
over the line. Mail user agent of my choice (Claws Mail) uses GnuTLS for
encrypted communication. So I thought it would be as simple as enabling
SMTP authentication and SSL but it turned out it does not work, I
always get SSL handshake failed error.

ISP's technical support stated that their server does not support TLS
1.1 nor TLS 1.2 so I thought I just need to set a correct priority
string. I am using GnuTLS versions 3.0.20 and 3.1.5 for my experiments.
I have attached the output of gnutls-cli-debug when connecting to the
server in question.

Based on the output of gnutls-cli-debug and on what their support said I
thought it would be enough to disable TLS 1.1 and TLS 1.2 but
unfortunately I still can"t connect to their server. I am using the
command line
gnutls-cli -p 465 --priority='NORMAL:%COMPAT:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1' --x509cafile=/etc/ssl/certs/ca-certificates.crt mail.siol.net
for testing the connection.

Relevant bit of output for GnuTLS 3.1.5:
Processed 151 CA certificate(s).
Resolving 'mail.siol.net'...
Connecting to ''...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
... (certificates info comes here)
- Status: The certificate is trusted.
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [0]: Close notify
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.
Can someone please explain what this error means ?

When I use GnuTLS 3.0.20 I get a different error:
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- The hostname in the certificate matches 'mail.siol.net'.
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
How come GnuTLS 3.1.5 conciders the same certificate as trusted but
GnuTLS 3.0.20 does not ?

I hope someone can help me resolve these connection issue.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: gnutls-debug.txt
URL: </pipermail/attachments/20121226/d362314c/attachment-0001.txt>

More information about the Gnutls-help mailing list