Test SSL Imap Connection
To see how this inclusion page fits in with similar ones, perhaps see one of
Testing a Recently Changed Mail Server Certificate
It is not easy to check what certificate is being presented using
the
ThunderBird mail client.
However, you should verify that both host certificate and the
OrganizationSSL Intermediate Root Certificate
have been installed correctly.
ThunderBird will show you the chain of certificates.
You can ensure
ThunderBird gets the certificates from the mail server
by creating a new, empty profile using
arpepper@cscfpc20:~$ thunderbird -no-remote -ProfileManager
Choose "Create Profile" and then complete the one-step wizard to
create a new empty profile (you just need to choose a name).
Then click on that profile to start a session using it.
You will be asked to set up an account.
When asked for imap and smtp server, enter a version of the name
which will not actually match the full name in the certificate
you wish to test.
For example, enter just
plg.cs
instead of
plg.cs.uwaterloo.ca.
If the host uses
imaps and not
TLS under
imap the profile
will fail initially, and you will need to find and click
[View settings for this account] and [Server Settings] and change
the connection type to
SSL.
If you then click on
Inbox,
you should get a warning about the name mismatch, in a dialog
box which allows you to [View Certificate].
[Details]
should show you the Intermediate Certificate as
GlobalSign Organization Validation CA; you should be able to
confirm its validity dates (Although the procedure is a little painful).
There does not appear to be any way to save or export any of the
certificates.
Although this facility should remain available in future
ThunderBird, details of the interface will probably change.
For tidiness, you probably want to immediately delete your new
profile using the dialog generated by:
arpepper@cscfpc20:~$ thunderbird -no-remote -ProfileManager
and then selecting it for [Delete].
Using openssl command to check Mail Server Certificates
The
openssl command has an
s_client sub-command which can
be a simple client for SSL smtp, imap, pop or ftp.
arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect mail.cs.uwaterloo.ca:465
arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls smtp -crlf -connect mail.cs.uwaterloo.ca:25
arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap
arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -crlf -connect mail.cs.uwaterloo.ca:imaps
arpepper@cscfpc20:~$ echo quit | openssl s_client -starttls pop3 -crlf -connect plg2.cs.uwaterloo.ca:110
arpepper@cscfpc20:~$ echo quit | openssl s_client -crlf -connect plg2.cs.uwaterloo.ca:995
I had to hunt around for a
pop3 example, because that is being shut down.
The output from the above is lengthy, and includes the main server
certificate.
You can use the
openssl command to view its details.
Other options can be given to the above. Most useful might be
-showcerts
which will show the entire certificate chain. Also
-CAfile <file> or
-CApath <dir>.
arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -showcerts -CApath /etc/ssl/certs -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap
-starttls http is not supported, since there is no such concept. But since
https is a standard
SSL protocol port, the following does work to view the certificate used by https:
arpepper@cscfpc20:~$ cat /dev/null | openssl s_client -crlf -connect cs.uwaterloo.ca:443
Since
openssl x509 -text does ignore information outside the recognized
CERTIFICATE area, the above commands can all be piped directly into it.
arpepper@cscfpc20:~$ echo 0 logout | openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap | openssl x509 -text
There might be a little untidy
stderr output at the beginning, so...
arpepper@cscfpc20:~$ echo 0 logout | 2>/dev/null openssl s_client -starttls imap -crlf -connect mail.cs.uwaterloo.ca:imap | openssl x509 -text
Referers
This topic IncludeCertTestImap is referred to by...
--
AdrianPepper - 2013-Jul-08
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.