Saturday, November 10, 2007

Changing Gmail SSL certificate

I was curious why I couldn't fetch my mail to my laptop from Google's gmail service, when it has been promptly dropping my mail onto my Blackberry. I tried running the 'fetchmail' command manually where I was greeted with the following message:

fetchmail: pop.gmail.com fingerprints do not match!
9203:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894:
fetchmail: SSL connection failed.
fetchmail: socket error while fetching from
[my email]@pop.gmail.com
fetchmail: Query status=2 (SOCKET)
Seems like Gmail has changed their certificates! The way in solving the problem is to pull the new certificate and update the MD5 key in .fetchmailrc:

% openssl s_client -connect smtp.gmail.com:995 -showcerts
CONNECTED(00000004)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIC3TCCAkagAwIBAgIDCDijMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcxMDI1MTc1MzE2WhcNMDkxMjI0MTg1MzE2
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv
cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO03QxerFKZV
8yeomuL4zSl8Pr7hMWnKMMgp/CwhwadeBmL0LQHHbjL/6z/Z59ZQvrztqkwhchA2
APKzUwRVTyn7Shx6vBqk6oFmTqoOLmY6hbq6l8uVdUv0AfbHwio8CnLpK2+nbuFl
flPwx1DH0E3grD8+CrH5SmScfTWbDkcXAgMBAAGjga4wgaswDgYDVR0PAQH/BAQD
AgTwMB0GA1UdDgQWBBTJRG/OFpZt+BV43JM3NshHMjpwazA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf
BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAOKr3mhxtwFCS3J6lbeaf
3KrHKi935BZkI75sRbON+hog0t2ovcM2i7fxs3xneH8USLsHgfxNBj9tkMogMK/K
sO/NUVZ/IfyqcNNkp2619qTQXthKRH42JKpAKgNhT1bdno3pxn+eDEpqmU3CE7IP
HDCjWOK1fGkZ/yFAuTxuxAc=
-----END CERTIFICATE-----

---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 891 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: BEE4859291CC8325784BE44785F2F705D47CD462B0A5ADC98B62A86A1851B41E
Session-ID-ctx:
Master-Key: 4E085FD56B0A36C4C278C7250BC1D5BC144CE8E7CF979D07086AA1D5E7C40D64DB76285057E16EAD027F789B9B0E1D84
Key-Arg : None
Start Time: 1194725790
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK Gpop ready for requests from [MY IP ADDRESS]
Copy the part coloured in red into a new file, e.g. '/etc/ssl/certs/new_gmail.pem' and then you have to recreate the symbolic links for their hash value, before generating the MD5 checksum to update in .fetchmailrc:

% c_rehash /etc/ssl/certs
... lots of other output ...
new_gmail.pem => 7f549ca4.0

% openssl x509 -fingerprint -md5 -noout -in new_gmail.pem
MD5 Fingerprint=44:A8:E9:2C:FB:A9:7E:6D:F9:DB:F3:62:B2:9E:F1:A9
Replace the old hash with the new hash value in .fetchmailrc, given in my example here:

poll pop.gmail.com with proto POP3
auth password user "myusername" there with password "mypassword" is vince here
options keep no fetchall sslcertck
# options keep ssl sslfingerprint '59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4'
options keep ssl sslfingerprint '44:A8:E9:2C:FB:A9:7E:6D:F9:DB:F3:62:B2:9E:F1:A9'
Replace the old line in blue with the new MD5 checksum as shown above. Fetchmail should resume working now!

4 comments:

Дима said...

thanks :)

Anonymous said...

Worked for me.

jorx said...

This didn't work for me. What I did instead was to copy the key from the error message. There was the fingerprint fetchmail tried to match with :)

Anonymous said...

rather than smtp.gmail.com it should be pop.gmail.com or whatever you use in your fetchmailrc

Post a comment