Page 1 of 1

Self-signed certificate no longer accepted by external account download

Posted: 2015-01-26 20:30
by rstarkov
I used to have hMailServer 5.4-B1950 collecting email via POP from another B1950 installation, using SSL/TLS with a self-signed certificate. This worked fine for about a year.

I'm upgrading to 5.6.1-B2208 and the self-signed certificate is no longer accepted, as far as I can tell:

Code: Select all

"DEBUG"	2204	"2015-01-26 17:54:36.644"	"Creating session 46"
"DEBUG"	4788	"2015-01-26 17:54:36.994"	"TCP connection started for session 46"
"DEBUG"	4788	"2015-01-26 17:54:36.994"	"Performing SSL/TLS handshake for session 46. Verify certificate: True, Expected remote host name: [domain name]"
"DEBUG"	15248	"2015-01-26 17:54:37.120"	"Certificate verification failed for session 46. Expected host: [domain name], Windows error code: -2146762487, Windows error message: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."
"DEBUG"	15248	"2015-01-26 17:54:37.121"	"Ending session 46"
"DEBUG"	2204	"2015-01-26 17:54:37.121"	"Completed retrieval of messages from external account."
What's the easiest work-around for this, short of getting a proper certificate?

Re: Self-signed certificate no longer accepted by external account download

Posted: 2015-01-26 22:08
by percepts
two things, have you loaded it into windows cert store (start certmgr.msc) and has it expired ?

Re: Self-signed certificate no longer accepted by external account download

Posted: 2015-01-26 23:39
by rstarkov
Checked both of those. No, it hasn't expired. No, it wasn't loaded into the windows cert store, but nor was this necessary before. Sadly, loading it into the store didn't help either.

I notice that the log says "Verify certificate: True". Is there any easy way to turn this off?

I'd love to have the certificate verify correctly, but with only a vague error message from Windows that I have no idea how to debug, it's looking more like a question of can I get this to work at all or will I have to turn off encryption altogether...

Re: Self-signed certificate no longer accepted by external account download

Posted: 2015-01-26 23:45
by percepts
in hmailadmin SSL/TLS there is an option to switch off "verify remote server certificate"

I think that is for for sending only. If its a remote server sending to you, you can't stop them from doing verification if they want to as far as I understand it.

Why don't you just create yourself a new self signed certicate which will work just fine with most mailservers unless they are real picky in which case it should fall back to unecrypted if you use StartTLS Optional on port 25.

Re: Self-signed certificate no longer accepted by external account download

Posted: 2015-01-26 23:51
by rstarkov
Thanks percepts. I did try to create a new cert that would pass validation, but couldn't quite get it to work. Will definitely try again later.

I did manage something else though: by searching for the log message in the source code, I found the name of the setting, which is "VerifyRemoteSslCertificate". So it's just a matter of doing this:

Code: Select all

UPDATE hm_settings SET settinginteger = 0 WHERE settingname = 'VerifyRemoteSslCertificate'
Not ideal, but good enough for now. I think the upgrade from 5.4 to 5.6 must have enabled this setting. I'm guessing this is the same setting as the checkbox you refer to, under Settings / Advanced / SSL/TLS / Verify remote server SSL/TLS certificates.

Re: Self-signed certificate no longer accepted by external account download

Posted: 2015-01-27 00:14
by percepts
Yes it is same setting but as I said, I think its for outgoing mail only. Just uncheck it and see if it makes a difference.

Re: Self-signed certificate no longer accepted by external account download

Posted: 2015-01-27 15:42
by prisma
As far as I understood Martin certificates a checked for smarthost, routes AND pop3c after update to 5.6. This means for every explicit / manually configured host. Certificate are never checked for MX resolved hosts.