[gnutls-help] Can't connect to my ISP's mail server using GnuTLS

Darko K. darko.koruga at siol.net
Thu Dec 27 10:43:05 CET 2012

On Wed, 26 Dec 2012 10:43:23 -0500 Daniel Kahn Gillmor wrote:

> On 12/26/2012 08:05 AM, Darko K. wrote:
> > gnutls-cli -p 465
> > --priority='NORMAL:%COMPAT:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1'
> > --x509cafile=/etc/ssl/certs/ca-certificates.crt mail.siol.net
> I think your isp's mailserver is oddly configured in more than one
> way.
> For one thing, their list of intermediate certificates isn't a linear
> progression from the end-entity (EE) certificate to the root
> certificate.  There is actually a root certificate in the provided
> chain, which is against the TLS spec.
> They should remove the first certificate in their chain (the one with
> both issuer and subject set to "C=US,O=GeoTrust Inc.,CN=GeoTrust
> Global CA") if they're interested in complying with the TLS
> specification.
> The server also does not claim to be able to support secure
> renegotiation, which indicates that it isn't being kept up-to-date --
> this is a critical extension on today's network, if any sort of TLS
> renegotiation is to be supported.
> fwiw, I also can't get it to successfully negotiate a connection with
> openssl s_client.  Are you able to connect to this successfully with
> any TLS client?
> Sorry this doesn't answer your question specifically, but these are
> the problems i see with the server upon first investigation.
Hello Daniel,

thank you for your help. My bet is they run some proprietary software
on Windows which obviously implements security very poorly. If I were
more familiar about SSL and TLS protocols I would definitely open a
ticket with them.

I was able to connect using OpenSSL s_client but I forgot what command
line I used and what version of OpenSSL it was. It wasn't interesting
for me since Claws Mail does not support OpenSSL.


More information about the Gnutls-help mailing list