[gnutls-help] Can't connect to my ISP's mail server using GnuTLS

Darko K. darko.koruga at siol.net
Thu Dec 27 10:43:05 CET 2012


On Wed, 26 Dec 2012 10:43:23 -0500 Daniel Kahn Gillmor wrote:

> On 12/26/2012 08:05 AM, Darko K. wrote:
> > gnutls-cli -p 465
> > --priority='NORMAL:%COMPAT:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1'
> > --x509cafile=/etc/ssl/certs/ca-certificates.crt mail.siol.net
> 
> I think your isp's mailserver is oddly configured in more than one
> way.
> 
> For one thing, their list of intermediate certificates isn't a linear
> progression from the end-entity (EE) certificate to the root
> certificate.  There is actually a root certificate in the provided
> chain, which is against the TLS spec.
> 
> They should remove the first certificate in their chain (the one with
> both issuer and subject set to "C=US,O=GeoTrust Inc.,CN=GeoTrust
> Global CA") if they're interested in complying with the TLS
> specification.
> 
> The server also does not claim to be able to support secure
> renegotiation, which indicates that it isn't being kept up-to-date --
> this is a critical extension on today's network, if any sort of TLS
> renegotiation is to be supported.
> 
> fwiw, I also can't get it to successfully negotiate a connection with
> openssl s_client.  Are you able to connect to this successfully with
> any TLS client?
> 
> Sorry this doesn't answer your question specifically, but these are
> the problems i see with the server upon first investigation.
> 
Hello Daniel,

thank you for your help. My bet is they run some proprietary software
on Windows which obviously implements security very poorly. If I were
more familiar about SSL and TLS protocols I would definitely open a
ticket with them.

I was able to connect using OpenSSL s_client but I forgot what command
line I used and what version of OpenSSL it was. It wasn't interesting
for me since Claws Mail does not support OpenSSL.

Regards,
                 Darko



More information about the Gnutls-help mailing list