[gnutls-help] Can't connect to my ISP's mail server using GnuTLS

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Dec 26 16:43:23 CET 2012


On 12/26/2012 08:05 AM, Darko K. wrote:
> gnutls-cli -p 465 --priority='NORMAL:%COMPAT:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1' --x509cafile=/etc/ssl/certs/ca-certificates.crt mail.siol.net

I think your isp's mailserver is oddly configured in more than one way.

For one thing, their list of intermediate certificates isn't a linear
progression from the end-entity (EE) certificate to the root
certificate.  There is actually a root certificate in the provided
chain, which is against the TLS spec.

They should remove the first certificate in their chain (the one with
both issuer and subject set to "C=US,O=GeoTrust Inc.,CN=GeoTrust Global
CA") if they're interested in complying with the TLS specification.

The server also does not claim to be able to support secure
renegotiation, which indicates that it isn't being kept up-to-date --
this is a critical extension on today's network, if any sort of TLS
renegotiation is to be supported.

fwiw, I also can't get it to successfully negotiate a connection with
openssl s_client.  Are you able to connect to this successfully with any
TLS client?

Sorry this doesn't answer your question specifically, but these are the
problems i see with the server upon first investigation.

	--dkg



More information about the Gnutls-help mailing list