Re: Anyone else having password failures at pop.gmail.com?

To: debian-user@lists.debian.org
Subject: Re: Anyone else having password failures at pop.gmail.com?
From: Frédéric Marchal <frederic.marchal@wowtechnology.com>
Date: Thu, 27 Aug 2015 07:34:01 -0700 (PDT)
Message-id: <[🔎] 2368021.iovfRBnyXm@port-fma>
In-reply-to: <[🔎] CAAr43iPx98MJ3z=S3XU7C3kSYnQGoq+GEJ65rYmGtAJC7VXhog@mail.gmail.com>
References: <[🔎] 201508191822.30059.gheskett@wdtv.com> <[🔎] 10143669.vRQgIIL0AN@port-fma> <[🔎] CAAr43iPx98MJ3z=S3XU7C3kSYnQGoq+GEJ65rYmGtAJC7VXhog@mail.gmail.com>

On Thursday 27 August 2015 22:14:43 Joel Rees wrote:
> I lost track of this thread somehow. Sorry.
> 
> On Thu, Aug 20, 2015 at 11:39 PM, Frédéric Marchal
> <frederic.marchal@wowtechnology.com> wrote:
> > On Thursday 20 August 2015 07:53:33 Joel Rees wrote:
> >> Any chance it's the old problem with Google's chain to a root CA?
> > 
> > Could you elaborate on this problem?
> 
> http://arstechnica.com/information-technology/2015/04/google-let-root-certif
> icate-for-gmail-expire-causing-e-mail-hiccups/
> 
> may or may not be what I was remembering about the CA.

Thanks. The link says Google let its certificate expires once. That's not the 
problem I saw. My message was about the root certificate not being valid for 
that purpose.

With little luck, it was much more benign than a hacker having his way with 
the LAN.


> > Kmail just popped a warning this morning about an invalid google
> > certificate. Kmail claims that "the root certificate is not valid for
> > that purpose" (whatever that means)…
> > 
> > I would like to know how to make sure whether it is safe to accept the
> > certificate or not.
> > 
> > My employer's gateway may be providing a fake certificate to monitor the
> > SSL communication but I don't know how to tell if the certificate was
> > rewritten by the legitimate gateway or by a rogue third party or if
> > google messed up.
> Do you know how to manually verify a certificate?

Let's see if I did my homework correctly :-)

I get the certificate:

    openssl s_client -connect imap.gmail.com:993

Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.gmail.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

I download GeoTrust CA certificate from their web site:

    wget https://www.geotrust.com/resources/root_certificates/<snip>.pem

Then I run this to verify the chain down to the third level:

    openssl s_client -connect imap.gmail.com:993 -verify 3 -CApath .

depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = 
imap.gmail.com
verify return:1
<...snip...>
    Verify return code: 0 (ok)

Is this procedure valid?

May I use it next time kmail complains about the root certificate if I'm 
running it from inside the LAN that might have been compromised? I wonder 
about the wget step.

Thanks,

Frederic

Reply to:

References:
- Anyone else having password failures at pop.gmail.com?
  - From: Gene Heskett <gheskett@wdtv.com>
- Re: Anyone else having password failures at pop.gmail.com?
  - From: Frédéric Marchal <frederic.marchal@wowtechnology.com>
- Re: Anyone else having password failures at pop.gmail.com?
  - From: Joel Rees <joel.rees@gmail.com>

Prev by Date: Re: new laptop: DVD or Blu-ray
Next by Date: Re: new laptop: DVD or Blu-ray
Previous by thread: Re: Anyone else having password failures at pop.gmail.com?
Next by thread: Re: Anyone else having password failures at pop.gmail.com?
Index(es):
- Date
- Thread