Issue 3976 in k9mail: Certificate error - rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 (SHA-1)
k9m...@googlecode.com
Owner: ----
Labels: Type-Defect Priority-Medium Product-k9mail
New issue 3976 by fini...@gmail.com: Certificate error - rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01 (SHA-1)
http://code.google.com/p/k9mail/issues/detail?id=3976
What's going wrong?
There seems to be a problem between K9 and the certificate at
zimbra.inria.fr. K9 gives me an error (see attached picture) and is unable
to retrieve the mail but the native android mail client is able to do so.
What steps will reproduce the problem?
1. Try to add the IMAP account zimbra.inria.fr with SSL (port 993)
2. Accept the certficate
3. See the error...
What do you expect to have happen?
My account should be added
What do you see instead?
I see the attached error message, java exception when parsing the
certificate
What version of K-9 are you using?
k9-4.104-release.apk from this site
Is your email account a POP account, Exchange Account or an IMAP account?
IMAP
Attachments:
screenshot_2012-01-07_1704.png 40.2 KB
error_log.txt 43.8 KB
k9m...@googlecode.com
Comment #1 on issue 3976 by unib...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
I have exactly the same error, with another Zimbra server. The SSL
certificate was issued by Gandi.
Server : imap.web4all.fr
IMAP box
k9m...@googlecode.com
Comment #2 on issue 3976 by JAKowal...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
Have the same error with different server - poczta.interserw.pl - I think
this happens since last market update (v. 4.003).
It's very serious bug because it doesn't show any error message unless you
try to change server settings.
I missed some emails because K9 Mail didn't warn me about failure to fetch
new messages.
k9m...@googlecode.com
Comment #3 on issue 3976 by Dustan.A...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
I have the same problem as well. Also Zimbra.
k9m...@googlecode.com
Comment #4 on issue 3976 by jtic...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
Same. Dovecot IMAP, GeoTrust certificate. Also fails connecting over
SMTP/TLS to a Sendmail server (don't know that one's configuration). Looks
like this is a generic SSL/TLS problem, not protocol specific.
K-9 version 4.003 (installed from Market) on Cyanogenmod 7.1.1 for HTC
Thunderbolt.
k9m...@googlecode.com
Comment #5 on issue 3976 by dti...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
Same. CM7.1 on Moto Atrix. Private ssl IMAP server.
k9m...@googlecode.com
Comment #6 on issue 3976 by peter.sc...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
This might be connected with that issue on android itself:
https://code.google.com/p/android/issues/detail?id=15968
k9m...@googlecode.com
Comment #7 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
did you try checking the certificate chain as pointed out by peter.sch..
openssl s_client -connect <server>:<sslport>
k9m...@googlecode.com
Comment #8 on issue 3976 by fini...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
I tried the openssl command and I didn't get any error message. The
ceertificate chain leads to a terena certificate which is self-signed, but
this is normal for a root certificate.
k9m...@googlecode.com
Comment #9 on issue 3976 by bjorn...@stanford.edu: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
Same issue with a Zimbra account over Exchange.
k9m...@googlecode.com
Comment #10 on issue 3976 by felix.sc...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
I can confirm this issue.
k9m...@googlecode.com
Comment #11 on issue 3976 by jimmie.f...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
I starting having this issue with a Zimbra server when I switched it to use
the Nginx IMAP proxy. Everything looks fine when I test with openssl:
openssl s_client -connect hostname:143 -starttls imap
k9m...@googlecode.com
Comment #12 on issue 3976 by me.ecli...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
Same issue, but with a server from lunarpages.com (lunariffic.com), a
hosting outfit in California, I think. Came after they refreshed their
server certificate.
It does appear to be a situation where the java class refuses to handle an
SSL certificate that is not using SHA signatures. I'm sure someone,
somewhere, is worried about the awful risks of running email over MD5
signature identity certificates.
But if K-9 is using the Android-supplied JAVA classes, they're probably
stuck. I installed AGP, hoping their crypto would handle the calls, but no
joy...still got the java class report described in the screen shot, above.
k9m...@googlecode.com
Comment #13 on issue 3976 by fini...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
In my case, the certificate is signed using SHA-1, so this is not an MD5
issue...
k9m...@googlecode.com
Comment #14 on issue 3976 by stefan.simroth: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
I get the same error, with the server "mail.your-server.de" (by German
hoster Hetzner).
Checked the certificate with openssl
openssl s_client -connect mail.your-server.de:443
and it is alright. certificate chain seems correct to me, Thawte is the
authority...
the only thing I noticed is:
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=DE/ST=Bayern/L=Gunzenhausen/O=Hetzner Online AG/CN=*.your-server.de
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=premium...@thawte.com
---
Don't know if this line "verify error:num=20:unable to get local issuer
certificate" has anything to say...
k9m...@googlecode.com
Comment #15 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
everyone please report their android version. I think this is an bug in
specific android version (in openssl)
k9m...@googlecode.com
Comment #16 on issue 3976 by jimmie.f...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
I have the problem on all versions I have tried: 2.1+Sense (Hero),
2.3+Sense (Desire), and 4.0.3 (Desire). All other IMAP clients I have tried
work fine, including stock ICS and the HTC Sense ones.
k9m...@googlecode.com
Comment #17 on issue 3976 by fini...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
I personally use 2.3 on an Xperia Mini Pro.
k9m...@googlecode.com
Comment #18 on issue 3976 by stefan.simroth: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
I use Android 2.3.4 on a Samsung Galaxy S2.
k9m...@googlecode.com
Comment #19 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
hmm, please query your ssl-certs from your mailserver and attach the output
here.
openssl s_client -connect mail.your-server.de:443
[if you don't have linux, you can simply post the hostname and the imap TLS
port, then i can check onmyself]
k9m...@googlecode.com
Cc: bernhard...@gmail.com
Comment #20 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01 (SHA-1)
http://code.google.com/p/k9mail/issues/detail?id=3976
(No comment was entered for this change.)
k9m...@googlecode.com
Comment #21 on issue 3976 by fini...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
Here is what I get for zimbra.inria.fr
Attachments:
log.txt 4.1 KB
k9m...@googlecode.com
Comment #22 on issue 3976 by jimmie.f...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
Here is mine. Interestingly, k9 had no problem with this cert until I
enabled the Nginx IMAP proxy, so I am including the output for https and
imaps. (Both are served via Nginx, however)
Attachments:
mail.funktronics.ca-ssl.out 4.5 KB
mail.funktronics.ca-imaps.out 4.5 KB
k9m...@googlecode.com
Comment #23 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
i checked the source of the builtin android mail client, and it looks we
are doing exactly the same (but we don't support client certs yet)
I think the only possibility is to record an network dump (with wireshark /
tcpdump) and post it here.
We need
one log with the working built in mail client
and one with k9.
please also post your k9 settings (TLS , SSL , TLS if available...)
k9m...@googlecode.com
Comment #24 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
@jimmie you use exactly the same Ciphers as my server. The only difference
is that i use an selfsigned cert and you use a certificate chain INCLUDING
a self signed cert.
Maybe this is the problem.
k9m...@googlecode.com
Status: Accepted
Comment #25 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01 (SHA-1)
http://code.google.com/p/k9mail/issues/detail?id=3976
hmm ok i think i have tracked down the problem: It's how k9 handles
certificate chains.
for some reasons we only check chain[0]
localTrustManager.checkServerTrusted(new X509Certificate[] {chain[0]},
authType);
k9m...@googlecode.com
Comment #26 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
for testing purpose and testmail-account on an affected server would be
fine.
Please mail me the user/pass instead of posting it here to prevent abuse.
k9m...@googlecode.com
k9m...@googlecode.com
Comment #28 on issue 3976 by jimmie.f...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
I've sent a test account.
k9m...@googlecode.com
Comment #29 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
the problem does not occur on unmodified android images in the emulator
(both 2.3 and 4.0.3 not affected)
but i can reproduce it on an htc desire 2.3.4
i coded an workaround, in case the normal cert check fails:
http://berni.stinkt.kicks-ass.org/k9debug.apk
it should be possible to install this apk byside your normal k9, cause it's
signed with a debug key. Please report back if this works for your.
also VERY IMPORTANT: Please check if changing your ServerKey AFTER
accepting it at k9 triggers an SECURTY warning (at least it should stop
working).
k9m...@googlecode.com
Status: Started
Comment #30 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01 (SHA-1)
http://code.google.com/p/k9mail/issues/detail?id=3976
branch:
https://github.com/aatdark/k-9/commits/aatdark_issue3976
commit:
https://github.com/aatdark/k-9/commit/db94f3584da43522004080711b6c8f6d65f46418
k9m...@googlecode.com
Comment #31 on issue 3976 by stefan.simroth: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
Great! The debug apk with the workaround works for me. I was able to send
an email via SSL via mail.your-server.de
Would you still need a test account?
k9m...@googlecode.com
Comment #32 on issue 3976 by stefan.simroth: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
FYI: looked at the commit... and it doesn't only occur on HTC phones, like
with me it happend on a SGS2. People here also reported it not working on
other phones, too, like Sony.
k9m...@googlecode.com
Comment #33 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
no a testaccount is not needed anymore.
i'm not sure why it works in the emulator and not the devices.
k9m...@googlecode.com
Comment #34 on issue 3976 by ako...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
This BETA fixes this issue with my hosting provider superhosting.bg IMAP
and SMTP certificates. Please release the fix in the Market so we can
cleanly update.
k9m...@googlecode.com
Comment #35 on issue 3976 by andreas....@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
just wondering when this fix will be implemented in the normal (release)
version?
Because even the current K9 4.116 (2 days ago or so) still doesn't work
like the before posted debug version.
k9m...@googlecode.com
Comment #36 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
k9m...@googlecode.com
Comment #37 on issue 3976 by frankwin...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
k9m...@googlecode.com
Comment #38 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
my patch does not impact security. There was a lot of stress the past
months. I will fix the missing parts in 2 weeks.
k9m...@googlecode.com
Comment #39 on issue 3976 by bernhard...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
you can keep track:
https://github.com/k9mail/k-9/pull/136
k9m...@googlecode.com
Comment #40 on issue 3976 by cunyd...@gmail.com: Certificate error - rsa
http://code.google.com/p/k9mail/issues/detail?id=3976
http://android.stackexchange.com/questions/45795/k9-doesnt-like-my-ssl-cert
In my case the setup was working fine until my mail provider (Dreamhost)
updated their cert. Now I'm getting errors.
Is there something that I can do to fix the cert?
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings