Categories: Computer email program (please specify: Apple Mail, Outlook, Thunderbird, etc) :

Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015..

Showing 1-10 of 10 messages
Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015.. kmmeyer77 3/26/11 8:47 AM
Explain your issue in full detail here:
When I get mail from claws-mail, two SSL certificates are being rotated almost each attempt.
One is expiring 4/22/2011 and the other in 2015 (if I recall correctly),  This results in a message
to accept the new SSL certificate.  Both are from Google, Mountain View... and everything appears
to check out.  The IP address is also the same.  :(

This is annoying...

Claws-mail 3.7.6
Linux, latest kernel ...
Ubuntu
2.6.35-28-generic #49-Ubuntu SMP Tue Mar 1 14:40:58 UTC 2011 i686 GNU/Linux

Re: Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015.. kmmeyer77 3/26/11 8:51 AM
Certificate from 4/22/2011 and 02/15/2012  ... not every time, but regularly they
get rotated if I accept the change. 

Re: Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015.. n5pwp1 3/26/11 9:42 AM
I'm running Claws Mail version 3.7.4cvs1 on Vista 64bit and am seeing the same thing since yesterday (3/25). Sometimes I can pull mail other times I get the SSL has changed message box. If I accept the new certificate then try to pull mail again it says the cert has changed again and rotates back to the original certificate. If I don't accept, it terminates the connection with GMail. In the network log it registers an SSL Handshake failure. Does this have to do with the Iranian attack against Google and Skype?
Re: Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015.. kmmeyer77 3/27/11 8:10 AM
Deleting the files in the cert directory seems to have resolved this, or Google did.

Thanks!

Re: Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015.. kmmeyer77 3/27/11 8:26 AM
So much for that...

It's baaaaaaccccccckkkkkkk  !!!!!

Come on Google, get your act together!

Re: Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015.. dsc_vienna 3/28/11 1:54 AM
I have the exact same issue since a few days. Very annoying.

Claws Mail 3.7.2
Linux 2.6.31-22-generic #63-Ubuntu SMP Wed Aug 18 22:54:26 UTC 2010 i686 GNU/Linux
Re: Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015.. GordoL 3/28/11 8:41 AM
This has been driving me nuts as well.

http://node.gordo4.com/snaps/ed5d79f93a0a68427745a64291e2d3a8.png
vs
http://node.gordo4.com/snaps/01b174161c47d9bce5414676040b455c.png

Would be nice if google had an actual support contact. Shit is ridiuclous...
Re: Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015.. GordoL 3/28/11 8:57 AM
Check this out, has nothing to do with claws-mail. These commands were ran seconds apart. The certificates keep changing back and forth. My best guess is that they use multiple servers to balance the load, and they do not all use the same certificate.

(~) gordo@queso $ openssl s_client -connect pop.gmail.com:995 -ssl3
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWjCCAsOgAwIBAgIKaNGwUQADAAAirzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMTAyMTYwNDQwMzdaFw0xMjAyMTYwNDUwMzda
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCc8H+gCR0/95Tb
Lkj7jdj0oXmfGzsSswdSjo6yWdcHpjv6cbaakHakclxBs47M8Gs3fJxuNqVMpt2Q
YorJuoBuVZjM59/rIeJwmOwSlzf1POxpEFUvm1ASAeBnBheBt0Fv+BCfI8DjZKgn
SvHCqQJfNgxpJBXOLbFVjBsPqF8w6wIDAQABo4IBLDCCASgwHQYDVR0OBBYEFHzY
GJFnJ+gmONoIX6cyTAEl9ePYMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrj
axIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29v
Z2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3Js
MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGlj
LmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkq
hkiG9w0BAQUFAAOBgQB0GTFAoMNxCFJ3aVMzvrZgCD9hG2Ee3Sx5GMQ0yDjcFvzS
ZIci9Gr18HMVBusIuFLw8TvBD7PEXtZLhh6hbj+Xdg9CIqlIjdqJFRixJU06xqKH
akIhNBDxy5ky3VugqlGdysbMjo/aXCFdl42GproXdUPH24Erljur885LklMk/g==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1738 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-SHA
    Session-ID: 5E0A8C0B43DD1B3A67CA155F08D4A5F69DE4EB9B8609BBB411B20435C26D3592
    Session-ID-ctx:
    Master-Key: 12DA0F964F58E3FEDFF6C7E2CF794202B7923D6C666692A6FE650671631422385123FA364A02F8C0F31CE118126791C6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1301327544
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests from 24.175.144.8 v41pf5084249yba.5


(~) gordo@queso $ openssl s_client -connect pop.gmail.com:995 -ssl3
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWjCCAsOgAwIBAgIKFNMahgADAAASkDANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMDA0MjIyMDExMjNaFw0xMTA0MjIyMDIxMjNa
MGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRYwFAYDVQQDEw1wb3Au
Z21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC701lFBdiiC0BB
JEo2U1wmmS6Gv+qr4bjG6xeCSgb0UGI2vN1ifYyrf/wj1jBLupou+Ds+s0zLzE5Y
vsADQvu+pkDXoOcnK2YxiOiuZaGOSRKC2b0rbg4oYyS1TogEBcX+KpUxWQNpccW6
FPzpSVtmiG4azMUIR0mM2HERnwke/wIDAQABo4IBLDCCASgwHQYDVR0OBBYEFJr4
/CBophXvQNM/AFWw8zu5EXKiMB8GA1UdIwQYMBaAFL/AMOv1QxE+Z7qekfv8atrj
axIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0YXRpYy5jb20vR29v
Z2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkuY3Js
MGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDovL3d3dy5nc3RhdGlj
LmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhv
cml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUAcgB2AGUAcjANBgkq
hkiG9w0BAQUFAAOBgQDETrSXXdPv8yvPZ5cR8yupyXlHzUvA5rNVFzOmBE/QCrNx
wLHDMP36+axPMWp+uraNfsc798zHES0GDgz+P97KItu8T75ysvjUUpWKeeuHcYHh
QSGi5iYB7XxEB9oCnSC9tpq8el2/mWFvVJSO69bO+zDOqgFPJ/GZYIxWgglMqA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1738 bytes and written 349 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-SHA
    Session-ID: 126DAFC1E9FBEC1294219363FC7A46F646C4E744B5BB41FEFE2FEBFAA58FEFFB
    Session-ID-ctx:
    Master-Key: 555C92E0448A913EE81ADF7AE511FBB4408E28AFDAB60BEF8CA39D6FE8CFC78EFE4E2E3FE36E286BBEBD3043CC3DA8AD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1301327568
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests from 24.175.144.8 p5pf6946923yhm.34

Re: Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015.. torstenww 3/30/11 2:04 PM
same problem here:

Claws-Mail 3.7.8
ArchLinux

two different certificates, due load-balancing, sounds strange - it costs money to register a certificate, why should Google waste money by buying another certificate?
Re: Each receive of mail (claws-mail) results in rotation of 2 SSL certificates; one expires 4/22 and then other 12/2015.. Brandon L 3/30/11 5:19 PM
Everyone -

As you can see, the expiration date on the old certificate is fast approaching (4/22/2011), so we had to update our certificates to new ones.

All production changes of this type are canaried, ie rolled out first to a small percentage of our servers.  These canaries usually run for 3-5 days before being rolled out to the rest of the servers.

Its unfortunate that your client doesn't like to see rotating certs, though.  You're going to see this issue every year or two, since we have to renew the certificates that often.  If you can, I'd talk to the developers of the client and see if they'd move to a model of permanently accepting a certificate instead of objecting every time there's a switch.

In any case, the new certs should be on all servers at this time, so this issue should be resolved until next year.

Brandon