[gnutls-help] Can't connect to my ISP's mail server using GnuTLS
Darko K.
darko.koruga at siol.net
Thu Dec 27 10:43:05 CET 2012
On Wed, 26 Dec 2012 10:43:23 -0500 Daniel Kahn Gillmor wrote:
> On 12/26/2012 08:05 AM, Darko K. wrote:
> > gnutls-cli -p 465
> > --priority='NORMAL:%COMPAT:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1'
> > --x509cafile=/etc/ssl/certs/ca-certificates.crt mail.siol.net
>
> I think your isp's mailserver is oddly configured in more than one
> way.
>
> For one thing, their list of intermediate certificates isn't a linear
> progression from the end-entity (EE) certificate to the root
> certificate. There is actually a root certificate in the provided
> chain, which is against the TLS spec.
>
> They should remove the first certificate in their chain (the one with
> both issuer and subject set to "C=US,O=GeoTrust Inc.,CN=GeoTrust
> Global CA") if they're interested in complying with the TLS
> specification.
>
> The server also does not claim to be able to support secure
> renegotiation, which indicates that it isn't being kept up-to-date --
> this is a critical extension on today's network, if any sort of TLS
> renegotiation is to be supported.
>
> fwiw, I also can't get it to successfully negotiate a connection with
> openssl s_client. Are you able to connect to this successfully with
> any TLS client?
>
> Sorry this doesn't answer your question specifically, but these are
> the problems i see with the server upon first investigation.
>
Hello Daniel,
thank you for your help. My bet is they run some proprietary software
on Windows which obviously implements security very poorly. If I were
more familiar about SSL and TLS protocols I would definitely open a
ticket with them.
I was able to connect using OpenSSL s_client but I forgot what command
line I used and what version of OpenSSL it was. It wasn't interesting
for me since Claws Mail does not support OpenSSL.
Regards,
Darko
More information about the Gnutls-help
mailing list