[MlMt] Trouble connecting to iCloud (certificate validation)

[Benny Kjær Nielsen]

On 18 Aug 2015, at 4:29, Scott A. McIntyre wrote:

> For the past few months, every now and again when MailMate tries to 
> talk to Apple's iCloud email infrastructure, a certificate validation 
> error occurs.
>
> The certificate that MailMate reports is a wildcard for 
> \*.mail.me.com, signed by Symantec ("Symantec Class 3 Secure Server CA 
> - G4"), with a serial number of 11 04 0c 72 fb d3 37 73 1f f4 f0 dc b3 
> c0 e7 17.
>
> The error in MailMate/OS X is "This certificate was signed by an 
> unknown authority".
>
> In my Keychain Manager I have a "Symantec Class 3 Public Primary 
> Certification Authority - G4" -- not quite the identical name, but, 
> I'm grabbing this from the pop-up that appears when MailMate connects, 
> and signing versus issuing may account for a slight discrepancy.
>
> Decades of doing what I do for my day-job has me just paranoid enough 
> to raise an eyebrow on this one.
>
> Has anyone else encountered this?

Yes, I've had a few reports and this thread certainly confirms there is 
a problem. All reports are about the iCloud IMAP server and therefore 
it's either a problem with this server or a problem in MailMate 
(apparently) only triggered by this server. The fact that this only 
seems to affect MailMate indicates that the latter is the problem.

Now, iCloud appears to have a pretty weird IMAP server. I've had 
multiple reports indicating that the specific behavior of the connected 
server is random (I assume it's some kind of cluster of servers). It's 
possible to connect to at least somewhat explicit servers by using a 
prefix like this `p01-imap.mail.me.com`. Experimentation has shown that 
p01-p38 are connectable, but this is not proof that they are all part of 
`imap.mail.me.com`. Here are two initial IMAP replies indicating that 
these servers are not identical:

	* OK [CAPABILITY pv33p36im-iscream004 15E43 XAPPLEPUSHSERVICE IMAP4 
IMAP4rev1 SASL-IR AUTH=ATOKEN AUTH=PLAIN] iSCREAM ready to rumble 
(15E43-20056:575) pv33p36im-iscream004 [04:5789:13:34:02:AB]
	* OK iSCREAM ready to rumble (15E43-20056:8770) st14p37im-iscream006 
[44:08:13:34:09:93]

Back to certificates. I've checked p01-p38 and they all provide the same 
certificates and I wouldn't think there was a problem except for the 
fact that I have an example from a user for which this is not true. 
Connecting to `imap.mail.me.com` he got a certificate with this issuer:

	Issuer: C=CZ, ST=Prague, O=AVAST, OU=Software Development, CN=Avast 
trusted CA

This is to be compared with what I got every time:

	Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, 
CN=Symantec Class 3 Secure Server CA - G4

But I'm not sure this tells us much about the error you got since your 
error message involves the Symantec certificate. A bit of detail might 
help here. The server actually sends multiple certificates. These are 
used to build a chain of certificates which combined with the system 
keychain should lead to validation. If I leave out the intermediate 
certificates then I get the error you get and it validates if I add the 
intermediate certificate (the same one as found 
[here](https://www.tbs-certificates.co.uk/FAQ/en/Symantec_Class_3_Secure_Server_CA-G4_MPKI.html)). 
(If you add this certificate to your keychain then it might fix the 
problem, but it won't tell us what the problem is.)

I think this boils down to that either the server some times leaves out 
the intermediate certificate or some times MailMate (or the Apple 
framework used by MailMate) somehow ignores it. I'll look into adding 
some debug output to learn more (and I believe I can also improve parts 
of the code since MailMate now requires 10.7+).

Sorry if this was a bit rambling.

-- 
Benny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20150818/6fa4ed71/attachment.html>