SSL Handshake Exception when trying to setup Gmail account

1,757 views
Skip to first unread message

Tobias

unread,
Jan 17, 2017, 4:20:43 PM1/17/17
to R2Mail2 BETA Test
Hi,

I'm trying to connect to Gmail via IMAP and SMTP with the following settings

[IMAP]
Security: SSL/TLS
Port: 993

[SMTP]
Security: SSL/TLS
Port: 465

However, it does not work and I'm getting an error about a wrong SSL Handshake.
See the logcat output below:

11792 12225 D R2Mail2 : Trying to download issuer cert from aia information...
11792 12225 E R2Mail2 : Error validating certificate: Zertifikatskette nicht gültig - Wurzelzertifikat wurde nicht gefunden!

11792 12225 E Transport Gmail: Error connecting to server imap.gmail.com:993 with username: *******@gmail.com and security: SSL/TLS
11792 12225 E Transport Gmail: Error: Zertifikatskette nicht gültig - Wurzelzertifikat wurde nicht gefunden!

11792 12225 D R2Mail2 : Found following ips for hostname imap.gmail.com
11792 12225 D R2Mail2 : IP: 173.194.79.109
11792 12225 D R2Mail2 : IP: 173.194.79.108
11792 12225 D R2Mail2 : Trying to download issuer cert from aia information...
11792 12225 E R2Mail2 : Error validating certificate: Zertifikatskette nicht gültig - Wurzelzertifikat wurde nicht gefunden!
11792 12225 D R2Mail2 : successfully created connection to imap.gmail.com with NONE and SSL_NULL_WITH_NULL_NULL
11792 12225 E R2Mail2 : Error checking connection: Fehler beim Verbinden mit Server imap.gmail.com:993 mit Username *******@gmail.com und Sicherheitseinstellungen SSL/TLS

11792 12225 E R2Mail2 :
11792 12225 E R2Mail2 : Error during SSL handshake, please verify that you are connecting to an SSL enabled port and that the used ciphers are compatible. You can try to enable weak ciphers in security settings if the server only supports old SSL protocols.


However, it works when setting Security to SSL/TLS (Trust All) for both [IMAP] and [SMTP].
Is  this a bug, an issue with my current setup (I am using R2Mail2 2.32) or just the way Gmail behaves?
Has anyone using Gmail encountered similar issues?


Best regards,

Tobias



Stefan Selbitschka

unread,
Jan 18, 2017, 3:29:45 AM1/18/17
to r2mail2-...@googlegroups.com

Hi Tobias,

as the log points out "Error validating certificate: Zertifikatskette nicht gültig - Wurzelzertifikat wurde nicht gefunden!" R2Mail2 could not find a trusted root certificate for the gmail SSL certificate.

This could have multiple reasons:

- You have disabled "use system root store" in R2mail2 and did not install the appropropriate root by yourself

- You are behind a Man-In-The-Middle Proxy which breaks SSL connections

- Gmail changed its SSL certificate for your entrypoint and messed it up


regards

stefan

--
You received this message because you are subscribed to the Google Groups "R2Mail2 BETA Test" group.
To unsubscribe from this group and stop receiving emails from it, send an email to r2mail2-beta-t...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Tobias

unread,
Jan 18, 2017, 5:38:38 PM1/18/17
to R2Mail2 BETA Test
Hi Stefan,

First of all, thanks for your quick reply!

I have enabled the use of the system root store and I'm not behind a proxy, so I'm assuming that Gmail has messed it up.
Strangely I am able to connect just fine with the same IMAP/SMTP settings using an other email Client (K-9 Mail).

I think I will stay with the "Trust All" setting for now and see if it fixes itself after a while...


Best regards,

Tobias

Tobias

unread,
Jan 18, 2017, 7:25:47 PM1/18/17
to R2Mail2 BETA Test
OK, first of all, I know very little about SSL Certificates, Chains and all that stuff.
I was just interested in the issue and did a lot of googling, so this could be painful to read or completely wrong.

Anyway, I tried to connect to Gmail via openssl:

For IMAP:
openssl s_client -connect imap.gmail.com:993 -showcerts
...
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
   i
:/C=US/O=Google Inc/CN=Google Internet Authority G2
   
...
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i
:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   
...
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i
:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   
...

For HTTPS (for comparison)
openssl s_client -connect gmail.com:443 -showcerts

...
Certificate chain
 
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
   i
:/C=US/O=Google Inc/CN=Google Internet Authority G2
   
...
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i
:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   
...
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i
:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   
...


As you can see, GeoTrust Global CA is the last Certificate in the chain and should be the root of it, which it is not.
The root CA for the chain seems to be Equifax Secure Certificate Authority which is weird because it does not appear if you inspect the ssl certificate for Gmail for example in Google Chrome.

Fingerprints of GeoTrust Global CA:
OpenSSL:  73 59 75 5C 6D F9 A0 AB C3 06 0B CE 36 95 64 C8 EC 45 42 A3 (SHA1) [Issuer=Equifax]
GoogleChrome: DE 28 F4 A4 FF E5 B9 2F A3 C5 03 D1 A3 49 A7 F9 96 2A 82 12 (SHA1) [Issuer=GeoTrust]

I looked Equifax up and google threw this at me: https://www.geotrust.com/resources/root-certificates/retired.html
So it looks like Equifax CA used to be the root certificate for GeoTrust but since it is expiring at August 22nd this year, they are in some kind of transition phase of their root certificates and I'm getting the "bad/old" chain with R2Mail2...

What I've done now:
I imported the Equifax Root Certificate into the Certificate Store of R2Mail2. This fixes the issue (at least until the certificate expires).


Again, this all appears very strange to me,
and I could be completely wrong; any thoughts? :/


Best regards,

Tobias

Stefan Selbitschka

unread,
Jan 24, 2017, 6:36:28 AM1/24/17
to R2Mail2 BETA Test
Hi Tobias,

I just got a new phone and upgraded to Android 7 - here is what I found out:

In Android 6 the Equifax Root CA is still preinstalled in Android 7 it isn't anymore. I guess this is because it uses a 1024bit RSA key. By the ways the certificate expires on 2018-08-22, so more then one and a half year from now. I think Google had implemented new truststore rules for Android 7 and did not implement certificates with 1024bit anymore, which is great.
Strange is that the are still using a certificate from this root for the IMAP SSL channel.

Now you need to install the certificate manually, after this everything works as expected.

The only thing I can do is to make the error message more clear, because at the moment its not perfect.

regards
stefan

Milan Markovic Matthis

unread,
Feb 2, 2017, 3:26:59 PM2/2/17
to R2Mail2 BETA Test
hey there, i am having the same problem, can you tell me how to install the certificate manually?
thanks!

milan

Stefan Selbitschka

unread,
Feb 6, 2017, 7:43:57 AM2/6/17
to R2Mail2 BETA Test
Sure.

Just download the EquifaxSecureCA Root certificate an import it in R2Mail2. I'll attached the export of the Root from my Android 6.0 device.

Just copy the file on your phone and open it. R2Mail2 should be a suggested app to open it. Then click "Import ..." on the top of the certificate view.

If R2Mail2 mail to is not suggested to open the certificate, go into the app, open the certificate store and hit the "+" sign. Select the file. Done.

regards
stefan
BuiltinObjectToken:EquifaxSecureCA.cer
Reply all
Reply to author
Forward
0 new messages