Categories: Report an issue : Account Access and Safety : Computer email program (please specify: Apple Mail, Outlook, Thunderbird, etc) :

inconsistent IMAP SSL cert chain

Showing 1-6 of 6 messages
inconsistent IMAP SSL cert chain Raphaël Droz 9/22/13 4:35 AM
For 3 days, Gmail IMAPS makes use of 2 different certificate chains used somehow randomly (20% of the cases)

$ resolveip imap.gmail.com
IP address of imap.gmail.com is 173.194.66.109
IP address of imap.gmail.com is 173.194.66.108

The issue is independent from the IP used.

$ for i in {1..5}; do echo ""|openssl s_client -connect 173.194.67.108:imaps -prexit 2>/dev/null|egrep ' Gimap|s:/'; echo "======"; done
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
* OK Gimap ready for requests from xxx z5if3601860wix.136
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
======
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
* OK Gimap ready for requests from xxx r52if3987820wep.149
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
======
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
======
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
* OK Gimap ready for requests from xxx f58if6576608web.44
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
======
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
* OK Gimap ready for requests from xxx fb5if3585013wib.155
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
======

Notice the different certificate sent the 3rd time, it's from the Google Internet Authority G2
and pasted here : http://bpaste.net/show/134462/

I hadn't this certificate in my mutt-certificate file, maybe I'll do in case I'm
not subject to MITM, but anyway I wonder why the IMAP server could throw 2 distinct certificate chains as it's confusing.


thank you

Re: inconsistent IMAP SSL cert chain bkennelly 9/22/13 8:10 AM
Google have many servers, located all over the world.  Different servers may have different certificates, but they should all chain to a well known CA. 
Re: inconsistent IMAP SSL cert chain Bret Barker 9/25/13 1:34 PM
I just started getting this odd chain w/Geotrust in it today. Needless to say I'm not trusting it and a reconnection gets me the already trusted cert I've had.
Re: inconsistent IMAP SSL cert chain Shibi1800 9/27/13 2:28 AM
More reasons to remove the last part of my reliance on the NSA^h^h^hGoogle.

Moved my server to asia, using Yandex for search and I think it's time to get my mail off the USA computers too.

Fucking American Spies.

Re: inconsistent IMAP SSL cert chain ZakMcKraken 9/27/13 7:14 AM
http://googleonlinesecurity.blogspot.fr/2013/05/changes-to-our-ssl-certificates.html

This year our SSL services will undergo a series of certificate upgrades—specifically, all of our SSL certificates will be upgraded to 2048-bit keys by the end of 2013

Here are some examples of improper validation practices that could very well lead to the inability of client software to connect to Google using SSL after the upgrade:
- Matching the leaf certificate exactly (e.g. by hashing it)
- Matching any other certificate (e.g. Root or Intermediate signing certificate) exactly
- Hard-coding the expected Root certificate, especially in firmware. This is sometimes done based on assumptions like the following:
-- The Root Certificate of our chain will not change on short notice.
-- Google will always use Thawte as its Root CA.
-- Google will always use Equifax as its Root CA.
-- Google will always use one of a small number of Root CAs.
-- The certificate will always contain exactly the expected hostname in the Common Name field and therefore clients do not need to worry about SANs.
-- The certificate will always contain exactly the expected hostname in a SAN and therefore clients don't need to worry about wildcards.


:-)
inconsistent IMAP SSL cert chain Brandon L 9/27/13 10:22 AM
Raphaël -

Given the recent exposure information, I can understand your extra level of caution.

As you noticed, we do have a new certificate in canary testing.  All changes to the service are tested on a limited set of our servers prior to bring rolled out everywhere, and that includes new certificates.

The new certificates are related to Google's overall move to stronger encryption that was discussed in this blog post:

http://googleonlinesecurity.blogspot.com/2013/05/changes-to-our-ssl-certificates.html

In the past, we have found issues with new certificates and some clients, so we always try to canary such changes.

We are investigating new standards such as DANE for other ways of publishing what the valid keys are for our services, given the more widespread lack of confidence in certificate authorities.  Google Chrome already does certificate pinning for web SSL connections for an extra level of security.

You could have verified that the G2 Google internet authority certificate was ours by going to https://www.google.com/ in chrome and clicking the lock icon to see that that cert is also signed by the G2 GIA cert.

Thanks for being careful

Brandon