[fetchmail]Re: [fetchmail-users] SSL authentication problems with Gmail

Matthias Andree matthias.andree@gmx.de
Wed, 04 Jan 2006 17:28:52 +0100 

Sebastian Tennant <sebyte@smolny.plus.com> writes:

>>> OK, added another `-v' and it just lists the Thawte server as well...
>>>
>>>   fetchmail[4584]: starting fetchmail 6.3.1 daemon
>>>   fetchmail[4584]: 6.3.1 querying pop.googlemail.com (protocol POP3) at Wed Jan  4 11:47:17 2006: poll started
>>>   fetchmail[4584]: Issuer Organization: Thawte Consulting cc
>>>   fetchmail[4584]: Issuer CommonName: Thawte Premium Server CA
>>>   fetchmail[4584]: Server CommonName: pop.googlemail.com
>>>   fetchmail[4584]: pop.googlemail.com key fingerprint: 46:8B:6C:F4:3E:4C:56:29:83:54:2C:37:42:F1:67:80
>>>   fetchmail[4584]: 6.3.1 querying pop.googlemail.com (protocol POP3) at Wed Jan  4 11:47:18 2006: poll completed
>>>   fetchmail[4584]: Query status=2 (SOCKET)
>>>   fetchmail[4584]: sleeping at Wed Jan  4 11:47:18 2006
>>
>>Looks like it never talks to the POP server.  Can you drop the "port
>>995" and "sslcertck" options from your fetchmailrc and see what you
>>get.
>
> Removed these lines and it works.  Thanks to everyone who helped.

Well, I checked the source code and found no code path where SSL
certificate verification would fail without leaving log messages, such
as 1. the actual error and 2. "SSL connection failed".

POP3 was configured explicitly, so "port 995" forth or back doesn't make
a difference either -- removing this option can only make things worse,
not better.

Remains the question after sslcertck -- it will log trouble, too, EXCEPT
if a certificate at greater depth causes a preverification failure
without setting the error code in the X.509 context variables (and we'd
still get "SSL connection failed" in this case).

It appears as though the server dropped the connection after the SSL
negotiation and before the greeting, or that your log information is
incomplete.  Your logging appears to be from syslog, so could you post
your syslog.conf or syslog-ng.conf (whichever you're *actually* using)?

Do you get more detailed logging with "fetchmail --nosyslog -vv -N -d0
--sslcertck --port 995"? Can you try running this and see if you still
get socket errors and if so, which errors they print?

Thanks in advance,

-- 
Matthias Andree