info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Issues with Openmailbox IMAP server
160 views
Skip to first unread message
fade...@openmailbox.org
Dec 30, 2015, 9:32:43 AM12/30/15
to dev-se...@lists.mozilla.org
Hi there,
Could you check if there is any reason why my Icedove v38.4.0 rejects
connecting to the IMAP server of Openmailbox? If I have knocked to the
wrong door, I apologize in advance.
There's a detailed thread explaining the issue here
https://forum.openmailbox.org/viewtopic.php?pid=6138#p6138
Some people have reported that downgrading icedove (does it imply a
libnss downgrade?) solves the problem.
My main query to you is if there's any weak encryption on Openmailbox
server that icedove is blocking for security reasons, as it could be
dangerous to advice a downgrade to everyone that is having this problem,
while the error would be server-side.
Thank you very much,
Elkon
Could you check if there is any reason why my Icedove v38.4.0 rejects
connecting to the IMAP server of Openmailbox? If I have knocked to the
wrong door, I apologize in advance.
There's a detailed thread explaining the issue here
https://forum.openmailbox.org/viewtopic.php?pid=6138#p6138
Some people have reported that downgrading icedove (does it imply a
libnss downgrade?) solves the problem.
My main query to you is if there's any weak encryption on Openmailbox
server that icedove is blocking for security reasons, as it could be
dangerous to advice a downgrade to everyone that is having this problem,
while the error would be server-side.
Thank you very much,
Elkon
fade...@openmailbox.org
Dec 30, 2015, 9:48:07 AM12/30/15
to dev-se...@lists.mozilla.org
A 2015-12-30 15:32, fade...@openmailbox.org escrigué:
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
I managed to get the certificate. Isn't everything alright? (I paste
also the session details as I haven't authenticated, and session is
already closed)
$ openssl s_client -host openmailbox.org -port 143 -starttls imap
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard
SSL/CN=*.openmailbox.org
i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFBjCCA+6gAwIBAgIRAKUYW/IbPYJPkrlvnX6LLH0wDQYJKoZIhvcNAQELBQAw
XzELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEO
MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy
MB4XDTE1MDgxMTAwMDAwMFoXDTE2MTExNTIzNTk1OVowZTEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQLExtHYW5kaSBTdGFuZGFyZCBX
aWxkY2FyZCBTU0wxGjAYBgNVBAMMESoub3Blbm1haWxib3gub3JnMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVHZzOaY5uUpFMPQy7XIXi7EUycuBt9W
l3IH1R/zLp54uxSdMh51GLK2B9AMozDtvlMsPl605h7cbF83w+ZwGIgZ/DD6IpEp
uLtpxjlITPRWoJTv3d3J0HBJMJcxVhbEHOcWVqq7I3A5QVnMk/DgA6snxweW+agl
4yhiJBSNvsEqN88bbpNzfUNJ9n7mvR6SpkNwFydwB32YUS+JcqStZkJHP80ky1Zz
RV0kQFkqkMicF7eKZPomZcRGEoqSLjKfqB1Qo99Wh8GCH0DcLHICxMszcCpjTJRe
LusOXP0K+th8wRFvAfkQPS1IwsJQACZllCDzWlnvMK/RLeYRf+U6BwIDAQABo4IB
tTCCAbEwHwYDVR0jBBgwFoAUs5Cn2MmvTs1hPJ98rV1/Qf1pMOowHQYDVR0OBBYE
FOz6aZvYWq5hit379t9zPsoseVzEMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBLBgNVHSAERDBCMDYG
CysGAQQBsjEBAgIaMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8vY3BzLnVzZXJ0cnVz
dC5jb20wCAYGZ4EMAQIBMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNybDBzBggrBgEFBQcBAQRn
MGUwPAYIKwYBBQUHMAKGMGh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9HYW5kaVN0
YW5kYXJkU1NMQ0EyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRy
dXN0LmNvbTAtBgNVHREEJjAkghEqLm9wZW5tYWlsYm94Lm9yZ4IPb3Blbm1haWxi
b3gub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQB/3w+VH18iq+e4dhwc9y1YHx7Paqfh
IpMY+1I0RaxLGZmymjti2/e+npxOsq9MTTJ/SmiHSB+l3qGthDi+yCQVm1hYj+72
FSGX6JzJyJWUnSMhdHvb+f/WOp8m9lBY3Gb/EAIB/r798eMDo+5LHGdOjSFH9oz1
yFIFmI9Pt2B62G62G+bvfdSp4Iqimi5pssqhhIGGaCR1YwH1R+H/BVJ81LNZTX5Z
9bPXKLjKA6uDKZ2TyfBBD8oMPzEz4jZq5yIEwVGjIn0d5o+3gG3zKsBeYEbI8n2m
5WaGmXeDg+4brh9QpFccHs64smYOa15QwOEfvaVXw8w/MXzDLkOT1oqk
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard
SSL/CN=*.openmailbox.org
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
---
Acceptable client certificate CA names
/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust
RSA Certification Authority
---
SSL handshake has read 5535 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
4A8BC83262C264F42F4305518B4A6CA5D57A2EDE834762BA262065C32809EF1F
Session-ID-ctx:
Master-Key:
37B62EC2FD4EC4BEB0B763164642335624862CBDCCD9A142955E0542D8196D1A021152CE17BD79B989D3B7B622BFF644
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - bd 84 d3 cc 8e c9 b4 3c-2a e2 44 20 21 e9 47 f6 .......<*.D
!.G.
0010 - 27 9f df e9 68 28 d0 83-3c d7 e6 2b 63 78 11 2b
'...h(..<..+cx.+
0020 - 14 f9 0a eb 44 c6 34 64-12 b6 00 0c 56 17 cb 66
....D.4d....V..f
0030 - 22 94 d1 15 3e c3 a8 c8-b4 a2 6e 40 c3 5c ab 8f
"...>.....n@.\..
0040 - fa 2b 0e 31 21 4d 22 fe-59 42 2d 42 95 eb 78 08
.+.1!M".YB-B..x.
0050 - 15 0a 1e 72 dc da 2f e1-38 15 b1 ed 41 65 b1 77
...r../.8...Ae.w
0060 - df d0 8a 46 42 f7 bc b5-ac 87 1a 56 b5 13 9a d8
...FB......V....
0070 - bd fe 06 16 7d 4b e1 e4-6d d5 32 3f a8 ec af be
....}K..m.2?....
0080 - d5 b0 1b aa 49 82 2c 9e-bf 99 98 41 1d 25 09 c8
....I.,....A.%..
0090 - 9a 85 68 6c c7 bb 5c b8-22 83 27 05 03 92 b6 81
..hl..\.".'.....
Start Time: 1451486515
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
I managed to get the certificate. Isn't everything alright? (I paste
also the session details as I haven't authenticated, and session is
already closed)
$ openssl s_client -host openmailbox.org -port 143 -starttls imap
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard
SSL/CN=*.openmailbox.org
i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST
Network/CN=USERTrust RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFBjCCA+6gAwIBAgIRAKUYW/IbPYJPkrlvnX6LLH0wDQYJKoZIhvcNAQELBQAw
XzELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEO
MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy
MB4XDTE1MDgxMTAwMDAwMFoXDTE2MTExNTIzNTk1OVowZTEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQLExtHYW5kaSBTdGFuZGFyZCBX
aWxkY2FyZCBTU0wxGjAYBgNVBAMMESoub3Blbm1haWxib3gub3JnMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApVHZzOaY5uUpFMPQy7XIXi7EUycuBt9W
l3IH1R/zLp54uxSdMh51GLK2B9AMozDtvlMsPl605h7cbF83w+ZwGIgZ/DD6IpEp
uLtpxjlITPRWoJTv3d3J0HBJMJcxVhbEHOcWVqq7I3A5QVnMk/DgA6snxweW+agl
4yhiJBSNvsEqN88bbpNzfUNJ9n7mvR6SpkNwFydwB32YUS+JcqStZkJHP80ky1Zz
RV0kQFkqkMicF7eKZPomZcRGEoqSLjKfqB1Qo99Wh8GCH0DcLHICxMszcCpjTJRe
LusOXP0K+th8wRFvAfkQPS1IwsJQACZllCDzWlnvMK/RLeYRf+U6BwIDAQABo4IB
tTCCAbEwHwYDVR0jBBgwFoAUs5Cn2MmvTs1hPJ98rV1/Qf1pMOowHQYDVR0OBBYE
FOz6aZvYWq5hit379t9zPsoseVzEMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E
AjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBLBgNVHSAERDBCMDYG
CysGAQQBsjEBAgIaMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8vY3BzLnVzZXJ0cnVz
dC5jb20wCAYGZ4EMAQIBMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwudXNl
cnRydXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNybDBzBggrBgEFBQcBAQRn
MGUwPAYIKwYBBQUHMAKGMGh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9HYW5kaVN0
YW5kYXJkU1NMQ0EyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRy
dXN0LmNvbTAtBgNVHREEJjAkghEqLm9wZW5tYWlsYm94Lm9yZ4IPb3Blbm1haWxi
b3gub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQB/3w+VH18iq+e4dhwc9y1YHx7Paqfh
IpMY+1I0RaxLGZmymjti2/e+npxOsq9MTTJ/SmiHSB+l3qGthDi+yCQVm1hYj+72
FSGX6JzJyJWUnSMhdHvb+f/WOp8m9lBY3Gb/EAIB/r798eMDo+5LHGdOjSFH9oz1
yFIFmI9Pt2B62G62G+bvfdSp4Iqimi5pssqhhIGGaCR1YwH1R+H/BVJ81LNZTX5Z
9bPXKLjKA6uDKZ2TyfBBD8oMPzEz4jZq5yIEwVGjIn0d5o+3gG3zKsBeYEbI8n2m
5WaGmXeDg+4brh9QpFccHs64smYOa15QwOEfvaVXw8w/MXzDLkOT1oqk
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard
SSL/CN=*.openmailbox.org
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
---
Acceptable client certificate CA names
/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust
RSA Certification Authority
---
SSL handshake has read 5535 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
4A8BC83262C264F42F4305518B4A6CA5D57A2EDE834762BA262065C32809EF1F
Session-ID-ctx:
Master-Key:
37B62EC2FD4EC4BEB0B763164642335624862CBDCCD9A142955E0542D8196D1A021152CE17BD79B989D3B7B622BFF644
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - bd 84 d3 cc 8e c9 b4 3c-2a e2 44 20 21 e9 47 f6 .......<*.D
!.G.
0010 - 27 9f df e9 68 28 d0 83-3c d7 e6 2b 63 78 11 2b
'...h(..<..+cx.+
0020 - 14 f9 0a eb 44 c6 34 64-12 b6 00 0c 56 17 cb 66
....D.4d....V..f
0030 - 22 94 d1 15 3e c3 a8 c8-b4 a2 6e 40 c3 5c ab 8f
"...>.....n@.\..
0040 - fa 2b 0e 31 21 4d 22 fe-59 42 2d 42 95 eb 78 08
.+.1!M".YB-B..x.
0050 - 15 0a 1e 72 dc da 2f e1-38 15 b1 ed 41 65 b1 77
...r../.8...Ae.w
0060 - df d0 8a 46 42 f7 bc b5-ac 87 1a 56 b5 13 9a d8
...FB......V....
0070 - bd fe 06 16 7d 4b e1 e4-6d d5 32 3f a8 ec af be
....}K..m.2?....
0080 - d5 b0 1b aa 49 82 2c 9e-bf 99 98 41 1d 25 09 c8
....I.,....A.%..
0090 - 9a 85 68 6c c7 bb 5c b8-22 83 27 05 03 92 b6 81
..hl..\.".'.....
Start Time: 1451486515
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
0 new messages