[sylpheed:36518] Re: IMAP4 & STARTTLS

Rich Coe rcoe at wi.rr.com
Mon Feb 27 23:20:30 JST 2017 

On Mon, 27 Feb 2017 12:54:18 +1100
John Angelico <jatalldad at gmail.com> wrote:
> My server has increased security by invoking SSL, using STARTTLS.
> 
> However, I cannot get Sylpheed 3.5.0 beta1 build 1161 on Linux
> 3.16.0-4-amd64 (x86_64) Debian Jessie to make a server connection.
> 
> Also today Melbourne Australia time we built and tested 3.5.1 but got the
> same error - Could not establish a connection to the server
>
> Do  I need to supply any further data?
> 
> Has anyone else reported difficulties with STARTTLS?
> 
> Where to next?

The worst problem I've had with TLS in general is getting the certificate 
used by the server to be accepted by the client.  I'm just guessing that 
it might be the problem.

Is there a client side certificate you had to install from your provider?
If there was, did you use 'openssl verify' to make sure your client can 
validate the server cert?  If the chain of trust for the cert cannot be
verified, ssl is going to reject the connection.  You may have to install 
certs into your linux box (they are usually installed by default) from the
provider that signed the server cert.

If it's a self signed cert, you will have to install it.  I believe Sylpheed
let's you install a self signed cert.  It's been a number of years since 
I've had to do it, and Sylpheed at the moment won't let me open 
'Configuration' while composing.

I would run 'sylpheed --debug > out.1' to capture what sylpheed is doing
when trying to download email.

These are my notes for dealing with certs.  They came from the internet 
after sifting through helpful web-pages.

>>>> Here's what I did to manually install a intermediate cert that I did
>>>> not have in order to verify a server side cert.
    # the url came from the cert that was signed by a remote server
    wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt
    openssl x509 -in DigiCertHighAssuranceEVCA-1.crt -inform DEM \
        -out DigiCertHighAssuranceEVCA-1.pem -outform PEM
    openssl verify -verbose -CApath /etc/ssl/certs DigiCert.pem
    openssl x509 -noout -hash -in DigiCert.pem
    cp DigiCert.pem /var/lib/ca-certificates/pem/
    ln -s /var/lib/ca-certificates/DigiCert.pm /etc/ssl/certs/
    ln -s /etc/ssl/certs/DigiCert.pem `hash`.0

>>>> Here's what I did to view a cert
    openssl x509 -noout -text -in DigiCert.pem

>>>> Here's what I did look at the dates in a cert
    # sometimes a cert is expired
    openssl x509 -noout -issuer -subject -dates -in DigiCert.pem


Rich
-- 
Rich Coe     rcoe at wi.rr.com

More information about the Sylpheed mailing list