[sylpheed:31913] Re: SSL certificate verify failed

[André Costa]

On Nov 12, 2007 2:01 PM, Petr Kovar <pknbe at volny.cz> wrote:
> Casco Bucci <Casco.Bucci at comcast.net>, Mon, 12 Nov 2007 04:57:09 -0500:
>
> (...)
>
> > Was able to download the certificate (per your suggestion) (Win32
> > version with Cygwin installed) with no joy  -- Sylpheed
> > still raises an exception about the self-signed certificate.
> >
> > Whatever I did has made it worse.  Sylpheed now also raises an exception
> > to Comcast's certificate (never questioned it before).
>
> Here is a cut and paste of one of my previous messages posted to this list:
>
> Try to copy your certificate to etc\ssl\certs\certs.crt file located
> in the Sylpheed installation directory, i.e. C:\Program Files\Sylpheed\ by
> default. That should do the trick.
>
> As far as the certs.crt file within the Sylpheed user's profile is
> concerned, let it untouched (as is and was after the fresh installation).
>
> However, this only applies to the official Win32 binary. I have no
> experiences using Sylpheed and Cygwin.
>
> Hope that helps,
> Petr Kovar

Anyone succeeded in caching the certificate for GMail's SMTP? I tried this:

openssl s_client -connect smtp.gmail.com:587 -showcerts
CONNECTED(00000003)
13408:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:567:

openssl choke on this, for some reason. GMail's help
[http://mail.google.com/support/bin/answer.py?answer=13287] says both
ports 587 and 465 can be used, so I tried 465. This one works, and I
get a valid .pem file content:

-----BEGIN CERTIFICATE-----
MIIDYzCCAsygAwIBAgIQYZrZzKZNh1fKVFuUlZ6rKzANBgkqhkiG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTA3MDczMDE2NTgwN1oXDTA4MDcyOTE2NTgwN1ow
aDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1v
dW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBJbmMxFzAVBgNVBAMTDnNtdHAu
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQF2mUMNM+qw/i
wMVSP2D0pgKb0M3RyWHBTQkno3W4y5TeH8LALnqv9/+Th4wZ5PrZ7YPQjmCxdtz6
Lm5Yx19nDXNw97or6SXvAoZSF+bwh76UFqxpImAGJzvj8Ro7rNkMidJa+KgGaIng
sIcWuqsj0rrK1AXoUHKmO4N5t0c6XwIDAQABo4GmMIGjMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vY3JsLnRo
YXd0ZS5jb20vVGhhd3RlUHJlbWl1bVNlcnZlckNBLmNybDAyBggrBgEFBQcBAQQm
MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wDAYDVR0TAQH/
BAIwADANBgkqhkiG9w0BAQUFAAOBgQCUoTmFzdJX+2Pz9FhI+H88lFIeBcFnxpPO
CHO7zs/J3ZI6ZmkuQm4az89tRqvKvRFrQm2CRlzntqWjSdcsIYlKKGZ32iclpNKw
1aW/Q3IIyyZTTUo9DJezyCrFBV7JxFXOQgYd45+YxPVUNnkw1lTd4RqweuB5p7r4
nObS2EE7cA==
-----END CERTIFICATE-----

However, if I save this as ~/.sylpheed-2.0/certs/gmail-smtp.pem and
run c_rehash the link is created, but sylpheed still complains it
cannot validate certificate:

* Connecting to SMTP server: smtp.gmail.com ...
[15:50:08] SMTP< 220 mx.google.com ESMTP c78sm2582652hsa
[15:50:08] ESMTP> EHLO localhost.localdomain
[15:50:08] ESMTP< 250-mx.google.com at your service, [200.177.214.11]
[15:50:08] ESMTP< 250-SIZE 28311552
[15:50:08] ESMTP< 250-8BITMIME
[15:50:08] ESMTP< 250-STARTTLS
[15:50:08] ESMTP< 250 ENHANCEDSTATUSCODES
[15:50:08] ESMTP> STARTTLS
[15:50:09] ESMTP< 220 2.0.0 Ready to start TLS
** LibSylph-WARNING: smtp.gmail.com: SSL certificate verify failed
(20: unable to get local issuer certificate)

Also, I can't seem to be able to use port 465 (it apparently hangs),
so I am trying port 587, which succeeds if I manually accept the
certificate.

Any hints?

Regards,

Andre