Re: starttls + gnutls-cli problems

info-gnus-english

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: starttls + gnutls-cli problems

From:	Nikolaus Rath
Subject:	Re: starttls + gnutls-cli problems
Date:	Tue, 03 Apr 2012 20:12:27 -0400
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/23.3 (gnu/linux)

Nikolaus Rath <Nikolaus@rath.org> writes:
> Hello,
>
> I have a problem with accessing an IMAP server using starttls. My select
> method is
>
>  gnus-secondary-select-methods '(
>                                  (nnimap ""
>                                          (nnimap-server-address 
> "ebox.rath.org")
>                                          (nnimap-stream starttls)
>                                          (nnimap-logout-timeout 1.0)
>                                          (nnir-search-engine imap)))
>
> When I attempt to connect to this server, I get the following in
> *Messages*:
>
> ,----
> | imap: Connecting to ebox.rath.org...
> | Opening STARTTLS connection to `ebox.rath.org:143'...done
> | imap: Connecting with STARTTLS...
> | STARTTLS negotiation failed: *** Starting TLS handshake
> | - Peer's certificate issuer is unknown
> | - Peer's certificate is NOT trusted
> | - The hostname in the certificate matches 'ebox.rath.org'.
> | *** Verifying server certificate failed...
> | *** Fatal error: Error in the certificate.
> | *** Handshake has failed
> | 
> | Process imap<2> exited abnormally with code 1
> | 
> | imap: Connecting with STARTTLS...failed
> | imap: Connecting to ebox.rath.org...failed
> | Couldn't open nnimap:
> `----
>
> However, if I manually execute gnutls-cli, everything works fine:
>
> ,----
> | # gnutls-cli -s ebox.rath.org -p 143
> | WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-Ak9iJF/pkcs11: 
> No such file or directory
> | Processed 152 CA certificate(s).
> | Resolving 'ebox.rath.org'...
> | Connecting to '173.255.235.238:143'...
> | 
> | - Simple Client Mode:
> | 
> | * OK ebox Cyrus IMAP4 v2.2.13-Debian-2.2.13-19squeeze3build0.10.04.1 server 
> ready
> `----
>
>
> Does anyone have a suggestion of how to debug this further? Is there a
> way to show the exact commandline that starttls is using to start
> gnutls-cli?


Ok, so the problem is that gnutls-cli -s doesn't try to establish the
TLS connection right away but waits for an EOF on STDIN. So if I type "2
STARTTLS" to tell the server that I'm going to switch to TLS and press
Ctrl-D, TLS negotiation starts and then aborts because of the untrusted
certificate.

The reason that this worked in the past is that gnutls 3.0.12 did not
automatically abort for untrusted certificates. gnutls 3.0.17 started
failing by default.

As a temporary fix, I thus added --insecure to starttls-extra-arguments,
so that gnutls-cli behaves as before.

However, it turns out that there is an even better fix. gnutls now
supports an ssh style "known_hosts" file. The way to use this is to
first connect manually on the console:

,----
| # gnutls-cli -p 143 -s ebox.rath.org --tofu
| Processed 152 CA certificate(s).
| Resolving 'ebox.rath.org'...
| Connecting to '173.255.235.238:143'...
| 
| - Simple Client Mode:
| 
| * OK ebox Cyrus IMAP4 v2.2.13-Debian-2.2.13-19squeeze3build0.10.04.1 server 
ready
| 2 starttls
| 2 OK Begin TLS negotiation now
| [ Ctrl-D ]
| *** Starting TLS handshake
| - Peer's certificate issuer is unknown
| - Peer's certificate is NOT trusted
| - The hostname in the certificate matches 'ebox.rath.org'.
| *** Verifying server certificate failed...
| - X.509 cert: subject `C=US,ST=New York,L=New York,O=Nikolaus 
Rath,CN=ebox.rath.org,EMAIL=Nikolaus@rath.org', issuer `C=US,ST=New 
York,O=Nikolaus Rath,CN=Nikolaus Rath,EMAIL=Nikolaus@rath.org', RSA key 1024 
bits, signed using RSA-SHA1, activated `2011-01-10 01:07:37 UTC', expires 
`2021-01-07 01:07:37 UTC', SHA-1 fingerprint 
`0209391a8e0c58e4beb5504279bc0aa45359557c'
|       Public Key Id:
|               2b538ad377c2e5bddedde70e076a2038f4cc2a22
|       Public key's random art:
|               +--[ RSA 1024]----+
|               |                 |
|               |                 |
|               |      .          |
|               |     . =         |
|               |      o S o   .  |
|               |     o * = o . . |
|               |E . + * = o + . .|
|               | . . o + o . o +o|
|               |           .o .o*|
|               +-----------------+
| 
| Host ebox.rath.org (imap2) has never been contacted before.
| Its certificate is valid for ebox.rath.org.
| Are you sure you want to trust it? (y/N): y
| - Successfully sent 0 certificate(s) to server.
| [...]
`----

..and then add "--tofu" instead of "--insecure" to
starttls-extra-arguments. Gnus/Gnutls will then validate the server
certificate against the stored fingerprint.

I hope this saves someone else some time.


Best,

   -Nikolaus

-- 
 »Time flies like an arrow, fruit flies like a Banana.«

  PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6  02CF A9AD B7F8 AE4E 425C

[Prev in Thread]

Current Thread

[Next in Thread]

starttls + gnutls-cli problems, Nikolaus Rath, 2012/04/03
- Re: starttls + gnutls-cli problems, Nikolaus Rath <=

Prev by Date: starttls + gnutls-cli problems
Next by Date: wrapping of email - article buffer
Previous by thread: starttls + gnutls-cli problems
Next by thread: wrapping of email - article buffer
Index(es):
- Date
- Thread