Package: evolution Version: 2.32.2-1 Severity: important I wanted to try evolution again, so I started setting up an email account. When configuring SMTP, I entered the server "mail.gandi.net", selected "SSL encryption" from the "Use secure connection" dropdown, checked "Server requires authentication", and hit "Check for Supported Types". This connected to the SMTP server via smtps, and promptly gave the following SSL certificate warning:
SSL Certificate check for mail.gandi.net: Issuer: CN=Gandi Standard SSL CA,O=GANDI SAS,C=FR Subject: CN=mail.gandi.net,OU=Gandi Standard SSL,OU=Domain Control Validated Fingerprint: f9:cd:59:ab:ed:8b:88:7f:61:82:c1:9d:72:3d:a3:ed Signature: BAD Do you wish to accept? I checked the certificate using openssl s_client and gnutls-cli from the command line, and both of them said the SSL certificate looked just fine: ~$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p smtps mail.gandi.net < /dev/null Processed 141 CA certificate(s). Resolving 'mail.gandi.net'... Connecting to '217.70.184.11:465'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1024 bits - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `OU=Domain Control Validated,OU=Gandi Standard SSL,CN=mail.gandi.net', issuer `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2011-02-25 00:00:00 UTC', expires `2012-03-01 23:59:59 UTC', SHA-1 fingerprint `7994853377552068acd98d8a95d20151f89eccc5' - Certificate[1] info: - subject `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA', issuer `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', RSA key 2048 bits, signed using RSA-SHA1, activated `2008-10-23 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `a9f79883a075ce82d20d274d1368e876140d33b3' - Certificate[2] info: - subject `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2005-06-07 08:09:10 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `3d4b2a4c64317143f50258d7e6fd7d3c021a529e' - Certificate[3] info: - subject `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `02faf3e291435468607857694df5e45b68851868' - The hostname in the certificate matches 'mail.gandi.net'. - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: DHE-RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed ~$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect mail.gandi.net:smtps < /dev/null CONNECTED(00000003) depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify return:1 depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware verify return:1 depth=1 /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA verify return:1 depth=0 /OU=Domain Control Validated/OU=Gandi Standard SSL/CN=mail.gandi.net verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=mail.gandi.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIE2DCCA8CgAwIBAgIQAtu0Wrie6osyZgpF5Qj61TANBgkqhkiG9w0BAQUFADBB MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTEwMjI1MDAwMDAwWhcNMTIwMzAxMjM1OTU5 WjBZMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsT EkdhbmRpIFN0YW5kYXJkIFNTTDEXMBUGA1UEAxMObWFpbC5nYW5kaS5uZXQwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbSZaPqtOysh3QE2baYoEVltRS kjvrzHkf0+70Nz6b+4wqDpGKSbopnug3VmVqEzOBJpZ7P3eSejrdwgb3MNJIPuz8 weopt+OK9nMuZWdAKC8O5t431tCWGBDbOhSEIpkp6Y2XCQteaHXEVdX7Woex4JE6 z8qrV6JOvFUXv3oRFEoB/z8KGcMP8qugMIMFZobTJVjhgCPsFcUgfmAIlvq1BFAH RS0tcbho+iOOhQQ8hFBZLnbdkicYUGIppMRuwIoBzoCqlX0mxfqx+ni7/S7t2ZRH 0R59ioULxAgaxXuFbICTFMqJ1ZCFezY6/3TPH4KzAXoIe814bZsHZn1vzr7bAgMB AAGjggGyMIIBrjAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5ITAdBgNV HQ4EFgQUqj+Zvm7gsSzs3MrAS9yRdufcI2gwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFYGA1UdIARP ME0wSwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3dy5nYW5k aS5uZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzA8BgNVHR8ENTAzMDGgL6At hitodHRwOi8vY3JsLmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3JsMGoG CCsGAQUFBwEBBF4wXDA3BggrBgEFBQcwAoYraHR0cDovL2NydC5nYW5kaS5uZXQv R2FuZGlTdGFuZGFyZFNTTENBLmNydDAhBggrBgEFBQcwAYYVaHR0cDovL29jc3Au Z2FuZGkubmV0MC0GA1UdEQQmMCSCDm1haWwuZ2FuZGkubmV0ghJ3d3cubWFpbC5n YW5kaS5uZXQwDQYJKoZIhvcNAQEFBQADggEBABxg2IduBI1kPDstySbHi4qeZ9rH iSJfw6wEU0/z/LVNPddlKp7oGek0dNIzrobiJgzjruSJEWI0EnS4QeB4aL4kQPO2 5qNG3l0fP1JuWupf9ut/ohd5ADt4Q9BuRUeaZfzEZ6A6hu3S9IXO68AzC/C2GHGz yYKb6DeCa5pvVRV8iirwoKHdm+oDQnf4R5cYnBWQKTzbUswcNSZy9PmBF2dt2B8w D48N6Tu2Ay6toxCaLS4KItghzATMnit3uhbU6UjjLwyCFzEjMYHleWg+6FFMuNKr ci8zixmLMl79adMPCek9qSAEECmTKrr8sNRcVnQHBPoornoE3vdtnBAfbUk= -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=mail.gandi.net issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent --- SSL handshake has read 5306 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 39674EBDB589E119B666C134FCF980885E14158EF3CB1CDDC0F0F2E990457DD5 Session-ID-ctx: Master-Key: E1CC9CC9CCEB0B8E2A5B2E45C2822853A69C7410C122B24CE14A3687EB43998BC08A135C7B5B555E766C06ED1B0DEBEC Key-Arg : None Start Time: 1299355815 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE Given this, perhaps evolution doesn't have the right configuration to check SSL certificates properly? - Josh Triplett -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-rc6-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages evolution depends on: ii dbus 1.4.6-1 simple interprocess messaging syst ii debconf [debconf-2.0] 1.5.38 Debian configuration management sy ii evolution-common 2.32.2-1 architecture independent files for ii evolution-data-server 2.32.2-2 evolution database backend server ii gconf2 2.28.1-6 GNOME configuration database syste ii gnome-icon-theme 2.30.3-2 GNOME Desktop icon theme ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib ii libcairo2 1.10.2-4 The Cairo 2D vector graphics libra ii libcamel1.2-19 2.32.2-2 The Evolution MIME message handlin ii libcanberra-gtk0 0.24-1 Gtk+ helper for playing widget eve ii libcanberra0 0.24-1 a simple abstract interface for pl ii libdbus-1-3 1.4.6-1 simple interprocess messaging syst ii libdbus-glib-1-2 0.88-2.1 simple interprocess messaging syst ii libebackend1.2-0 2.32.2-2 Utility library for evolution data ii libebook1.2-10 2.32.2-2 Client library for evolution addre ii libecal1.2-8 2.32.2-2 Client library for evolution calen ii libedataserver1.2-14 2.32.2-2 Utility library for evolution data ii libedataserverui1.2-11 2.32.2-2 GUI utility library for evolution ii libegroupwise1.2-13 2.32.2-2 Client library for accessing group ii libenchant1c2a 1.6.0-1 a wrapper library for various spel ii libevolution 2.32.2-1 evolution libraries ii libfontconfig1 2.8.0-2.1 generic font configuration library ii libfreetype6 2.4.4-1 FreeType 2 font engine, shared lib ii libgail18 2.20.1-2 GNOME Accessibility Implementation ii libgconf2-4 2.28.1-6 GNOME configuration database syste ii libgdata7 0.6.4-3 Library for accessing GData webser ii libglib2.0-0 2.28.1-1+b1 The GLib library of C routines ii libgnome-desktop-2-17 2.30.2-2 Utility library for loading .deskt ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface ii libgtkhtml-editor-3.14- 3.32.2-1 HTML rendering/editing library - e ii libgtkhtml3.14-19 3.32.2-1 HTML rendering/editing library - r ii libgweather1 2.30.3-1 GWeather shared library ii libical0 0.44-3 iCalendar library implementation i ii libice6 2:1.0.7-1 X11 Inter-Client Exchange library ii libnotify1 [libnotify1- 0.5.0-2 sends desktop notifications to a n ii libnspr4-0d 4.8.7-2 NetScape Portable Runtime Library ii libnss3-1d 3.12.9~beta2-1 Network Security Service libraries ii libpango1.0-0 1.28.3-2~sid1 Layout and rendering of internatio ii libsm6 2:1.2.0-1 X11 Session Management library ii libsoup2.4-1 2.32.2-1 an HTTP library implementation in ii libsqlite3-0 3.7.5-1 SQLite 3 shared library ii libstartup-notification 0.10-1 library for program launch feedbac ii libunique-1.0-0 1.1.6-2 Library for writing single instanc ii libxml2 2.7.8.dfsg-2 GNOME XML library ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages evolution recommends: pn bogofilter | spamassassi <none> (no description available) ii evolution-plugins 2.32.2-1 standard plugins for Evolution pn evolution-webcal <none> (no description available) ii gnome-desktop-data 2.30.2-2 Common files for GNOME desktop app ii yelp 2.30.1+webkit-1 Help browser for GNOME Versions of packages evolution suggests: pn bug-buddy <none> (no description available) pn evolution-dbg <none> (no description available) pn evolution-exchange <none> (no description available) pn evolution-plugins-experimenta <none> (no description available) ii gnupg 1.4.11-3 GNU privacy guard - a free PGP rep ii network-manager 0.8.2-5 network management framework daemo -- debconf information excluded _______________________________________________ Pkg-evolution-maintainers mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-evolution-maintainers
