[Evolution] Bug#616587: evolution: SSL certificate warning, but openssl and gnutls have no problem with the certificate

Josh Triplett josh at joshtriplett.org
Sat Mar 5 20:11:34 UTC 2011 

Package: evolution
Version: 2.32.2-1
Severity: important

I wanted to try evolution again, so I started setting up an email
account.  When configuring SMTP, I entered the server "mail.gandi.net",
selected "SSL encryption" from the "Use secure connection" dropdown,
checked "Server requires authentication", and hit "Check for Supported
Types".  This connected to the SMTP server via smtps, and promptly
gave the following SSL certificate warning:

SSL Certificate check for mail.gandi.net:

Issuer:            CN=Gandi Standard SSL CA,O=GANDI SAS,C=FR
Subject:           CN=mail.gandi.net,OU=Gandi Standard SSL,OU=Domain Control Validated
Fingerprint:       f9:cd:59:ab:ed:8b:88:7f:61:82:c1:9d:72:3d:a3:ed
Signature:         BAD

Do you wish to accept?


I checked the certificate using openssl s_client and gnutls-cli from the
command line, and both of them said the SSL certificate looked just
fine:

~$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p smtps mail.gandi.net < /dev/null
Processed 141 CA certificate(s).
Resolving 'mail.gandi.net'...
Connecting to '217.70.184.11:465'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 4 certificates.
 - Certificate[0] info:
  - subject `OU=Domain Control Validated,OU=Gandi Standard SSL,CN=mail.gandi.net', issuer `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2011-02-25 00:00:00 UTC', expires `2012-03-01 23:59:59 UTC', SHA-1 fingerprint `7994853377552068acd98d8a95d20151f89eccc5'
 - Certificate[1] info:
  - subject `C=FR,O=GANDI SAS,CN=Gandi Standard SSL CA', issuer `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', RSA key 2048 bits, signed using RSA-SHA1, activated `2008-10-23 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `a9f79883a075ce82d20d274d1368e876140d33b3'
 - Certificate[2] info:
  - subject `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2005-06-07 08:09:10 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `3d4b2a4c64317143f50258d7e6fd7d3c021a529e'
 - Certificate[3] info:
  - subject `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA1, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `02faf3e291435468607857694df5e45b68851868'
- The hostname in the certificate matches 'mail.gandi.net'.
- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

~$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect mail.gandi.net:smtps < /dev/null
CONNECTED(00000003)
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
verify return:1
depth=1 /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
verify return:1
depth=0 /OU=Domain Control Validated/OU=Gandi Standard SSL/CN=mail.gandi.net
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=mail.gandi.net
   i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE2DCCA8CgAwIBAgIQAtu0Wrie6osyZgpF5Qj61TANBgkqhkiG9w0BAQUFADBB
MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k
aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTEwMjI1MDAwMDAwWhcNMTIwMzAxMjM1OTU5
WjBZMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsT
EkdhbmRpIFN0YW5kYXJkIFNTTDEXMBUGA1UEAxMObWFpbC5nYW5kaS5uZXQwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbSZaPqtOysh3QE2baYoEVltRS
kjvrzHkf0+70Nz6b+4wqDpGKSbopnug3VmVqEzOBJpZ7P3eSejrdwgb3MNJIPuz8
weopt+OK9nMuZWdAKC8O5t431tCWGBDbOhSEIpkp6Y2XCQteaHXEVdX7Woex4JE6
z8qrV6JOvFUXv3oRFEoB/z8KGcMP8qugMIMFZobTJVjhgCPsFcUgfmAIlvq1BFAH
RS0tcbho+iOOhQQ8hFBZLnbdkicYUGIppMRuwIoBzoCqlX0mxfqx+ni7/S7t2ZRH
0R59ioULxAgaxXuFbICTFMqJ1ZCFezY6/3TPH4KzAXoIe814bZsHZn1vzr7bAgMB
AAGjggGyMIIBrjAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5ITAdBgNV
HQ4EFgQUqj+Zvm7gsSzs3MrAS9yRdufcI2gwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFYGA1UdIARP
ME0wSwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3dy5nYW5k
aS5uZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzA8BgNVHR8ENTAzMDGgL6At
hitodHRwOi8vY3JsLmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3JsMGoG
CCsGAQUFBwEBBF4wXDA3BggrBgEFBQcwAoYraHR0cDovL2NydC5nYW5kaS5uZXQv
R2FuZGlTdGFuZGFyZFNTTENBLmNydDAhBggrBgEFBQcwAYYVaHR0cDovL29jc3Au
Z2FuZGkubmV0MC0GA1UdEQQmMCSCDm1haWwuZ2FuZGkubmV0ghJ3d3cubWFpbC5n
YW5kaS5uZXQwDQYJKoZIhvcNAQEFBQADggEBABxg2IduBI1kPDstySbHi4qeZ9rH
iSJfw6wEU0/z/LVNPddlKp7oGek0dNIzrobiJgzjruSJEWI0EnS4QeB4aL4kQPO2
5qNG3l0fP1JuWupf9ut/ohd5ADt4Q9BuRUeaZfzEZ6A6hu3S9IXO68AzC/C2GHGz
yYKb6DeCa5pvVRV8iirwoKHdm+oDQnf4R5cYnBWQKTzbUswcNSZy9PmBF2dt2B8w
D48N6Tu2Ay6toxCaLS4KItghzATMnit3uhbU6UjjLwyCFzEjMYHleWg+6FFMuNKr
ci8zixmLMl79adMPCek9qSAEECmTKrr8sNRcVnQHBPoornoE3vdtnBAfbUk=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=mail.gandi.net
issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 5306 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 39674EBDB589E119B666C134FCF980885E14158EF3CB1CDDC0F0F2E990457DD5
    Session-ID-ctx: 
    Master-Key: E1CC9CC9CCEB0B8E2A5B2E45C2822853A69C7410C122B24CE14A3687EB43998BC08A135C7B5B555E766C06ED1B0DEBEC
    Key-Arg   : None
    Start Time: 1299355815
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE


Given this, perhaps evolution doesn't have the right configuration to check SSL
certificates properly?

- Josh Triplett

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-rc6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages evolution depends on:
ii  dbus                    1.4.6-1          simple interprocess messaging syst
ii  debconf [debconf-2.0]   1.5.38           Debian configuration management sy
ii  evolution-common        2.32.2-1         architecture independent files for
ii  evolution-data-server   2.32.2-2         evolution database backend server
ii  gconf2                  2.28.1-6         GNOME configuration database syste
ii  gnome-icon-theme        2.30.3-2         GNOME Desktop icon theme
ii  libatk1.0-0             1.30.0-1         The ATK accessibility toolkit
ii  libc6                   2.11.2-13        Embedded GNU C Library: Shared lib
ii  libcairo2               1.10.2-4         The Cairo 2D vector graphics libra
ii  libcamel1.2-19          2.32.2-2         The Evolution MIME message handlin
ii  libcanberra-gtk0        0.24-1           Gtk+ helper for playing widget eve
ii  libcanberra0            0.24-1           a simple abstract interface for pl
ii  libdbus-1-3             1.4.6-1          simple interprocess messaging syst
ii  libdbus-glib-1-2        0.88-2.1         simple interprocess messaging syst
ii  libebackend1.2-0        2.32.2-2         Utility library for evolution data
ii  libebook1.2-10          2.32.2-2         Client library for evolution addre
ii  libecal1.2-8            2.32.2-2         Client library for evolution calen
ii  libedataserver1.2-14    2.32.2-2         Utility library for evolution data
ii  libedataserverui1.2-11  2.32.2-2         GUI utility library for evolution 
ii  libegroupwise1.2-13     2.32.2-2         Client library for accessing group
ii  libenchant1c2a          1.6.0-1          a wrapper library for various spel
ii  libevolution            2.32.2-1         evolution libraries
ii  libfontconfig1          2.8.0-2.1        generic font configuration library
ii  libfreetype6            2.4.4-1          FreeType 2 font engine, shared lib
ii  libgail18               2.20.1-2         GNOME Accessibility Implementation
ii  libgconf2-4             2.28.1-6         GNOME configuration database syste
ii  libgdata7               0.6.4-3          Library for accessing GData webser
ii  libglib2.0-0            2.28.1-1+b1      The GLib library of C routines
ii  libgnome-desktop-2-17   2.30.2-2         Utility library for loading .deskt
ii  libgtk2.0-0             2.20.1-2         The GTK+ graphical user interface 
ii  libgtkhtml-editor-3.14- 3.32.2-1         HTML rendering/editing library - e
ii  libgtkhtml3.14-19       3.32.2-1         HTML rendering/editing library - r
ii  libgweather1            2.30.3-1         GWeather shared library
ii  libical0                0.44-3           iCalendar library implementation i
ii  libice6                 2:1.0.7-1        X11 Inter-Client Exchange library
ii  libnotify1 [libnotify1- 0.5.0-2          sends desktop notifications to a n
ii  libnspr4-0d             4.8.7-2          NetScape Portable Runtime Library
ii  libnss3-1d              3.12.9~beta2-1   Network Security Service libraries
ii  libpango1.0-0           1.28.3-2~sid1    Layout and rendering of internatio
ii  libsm6                  2:1.2.0-1        X11 Session Management library
ii  libsoup2.4-1            2.32.2-1         an HTTP library implementation in 
ii  libsqlite3-0            3.7.5-1          SQLite 3 shared library
ii  libstartup-notification 0.10-1           library for program launch feedbac
ii  libunique-1.0-0         1.1.6-2          Library for writing single instanc
ii  libxml2                 2.7.8.dfsg-2     GNOME XML library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

Versions of packages evolution recommends:
pn  bogofilter | spamassassi <none>          (no description available)
ii  evolution-plugins        2.32.2-1        standard plugins for Evolution
pn  evolution-webcal         <none>          (no description available)
ii  gnome-desktop-data       2.30.2-2        Common files for GNOME desktop app
ii  yelp                     2.30.1+webkit-1 Help browser for GNOME

Versions of packages evolution suggests:
pn  bug-buddy                     <none>     (no description available)
pn  evolution-dbg                 <none>     (no description available)
pn  evolution-exchange            <none>     (no description available)
pn  evolution-plugins-experimenta <none>     (no description available)
ii  gnupg                         1.4.11-3   GNU privacy guard - a free PGP rep
ii  network-manager               0.8.2-5    network management framework daemo

-- debconf information excluded

More information about the Pkg-evolution-maintainers mailing list