[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: starttls + gnutls-cli problems
Re: starttls + gnutls-cli problems
Tue, 03 Apr 2012 20:12:27 -0400
Gnus/5.13 (Gnus v5.13) Emacs/23.3 (gnu/linux)
Nikolaus Rath <Nikolaus@rath.org> writes:
> I have a problem with accessing an IMAP server using starttls. My select
> method is
> gnus-secondary-select-methods '(
> (nnimap ""
> (nnimap-stream starttls)
> (nnimap-logout-timeout 1.0)
> (nnir-search-engine imap)))
> When I attempt to connect to this server, I get the following in
> | imap: Connecting to ebox.rath.org...
> | Opening STARTTLS connection to `ebox.rath.org:143'...done
> | imap: Connecting with STARTTLS...
> | STARTTLS negotiation failed: *** Starting TLS handshake
> | - Peer's certificate issuer is unknown
> | - Peer's certificate is NOT trusted
> | - The hostname in the certificate matches 'ebox.rath.org'.
> | *** Verifying server certificate failed...
> | *** Fatal error: Error in the certificate.
> | *** Handshake has failed
> | Process imap<2> exited abnormally with code 1
> | imap: Connecting with STARTTLS...failed
> | imap: Connecting to ebox.rath.org...failed
> | Couldn't open nnimap:
> However, if I manually execute gnutls-cli, everything works fine:
> | # gnutls-cli -s ebox.rath.org -p 143
> | WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-Ak9iJF/pkcs11:
> No such file or directory
> | Processed 152 CA certificate(s).
> | Resolving 'ebox.rath.org'...
> | Connecting to '18.104.22.168:143'...
> | - Simple Client Mode:
> | * OK ebox Cyrus IMAP4 v2.2.13-Debian-2.2.13-19squeeze3build0.10.04.1 server
> Does anyone have a suggestion of how to debug this further? Is there a
> way to show the exact commandline that starttls is using to start
Ok, so the problem is that gnutls-cli -s doesn't try to establish the
TLS connection right away but waits for an EOF on STDIN. So if I type "2
STARTTLS" to tell the server that I'm going to switch to TLS and press
Ctrl-D, TLS negotiation starts and then aborts because of the untrusted
The reason that this worked in the past is that gnutls 3.0.12 did not
automatically abort for untrusted certificates. gnutls 3.0.17 started
failing by default.
As a temporary fix, I thus added --insecure to starttls-extra-arguments,
so that gnutls-cli behaves as before.
However, it turns out that there is an even better fix. gnutls now
supports an ssh style "known_hosts" file. The way to use this is to
first connect manually on the console:
| # gnutls-cli -p 143 -s ebox.rath.org --tofu
| Processed 152 CA certificate(s).
| Resolving 'ebox.rath.org'...
| Connecting to '22.214.171.124:143'...
| - Simple Client Mode:
| * OK ebox Cyrus IMAP4 v2.2.13-Debian-2.2.13-19squeeze3build0.10.04.1 server
| 2 starttls
| 2 OK Begin TLS negotiation now
| [ Ctrl-D ]
| *** Starting TLS handshake
| - Peer's certificate issuer is unknown
| - Peer's certificate is NOT trusted
| - The hostname in the certificate matches 'ebox.rath.org'.
| *** Verifying server certificate failed...
| - X.509 cert: subject `C=US,ST=New York,L=New York,O=Nikolaus
Rath,CN=ebox.rath.org,EMAIL=Nikolaus@rath.org', issuer `C=US,ST=New
York,O=Nikolaus Rath,CN=Nikolaus Rath,EMAIL=Nikolaus@rath.org', RSA key 1024
bits, signed using RSA-SHA1, activated `2011-01-10 01:07:37 UTC', expires
`2021-01-07 01:07:37 UTC', SHA-1 fingerprint
| Public Key Id:
| Public key's random art:
| +--[ RSA 1024]----+
| | |
| | |
| | . |
| | . = |
| | o S o . |
| | o * = o . . |
| |E . + * = o + . .|
| | . . o + o . o +o|
| | .o .o*|
| Host ebox.rath.org (imap2) has never been contacted before.
| Its certificate is valid for ebox.rath.org.
| Are you sure you want to trust it? (y/N): y
| - Successfully sent 0 certificate(s) to server.
..and then add "--tofu" instead of "--insecure" to
starttls-extra-arguments. Gnus/Gnutls will then validate the server
certificate against the stored fingerprint.
I hope this saves someone else some time.
»Time flies like an arrow, fruit flies like a Banana.«
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C