Email and SSL/TLS


#1

Hello,

I am trying to set up push email to my mobile phone (Sony Ericsson P990i). I am using the IMAP4 IDLE feature for this and it is all working well, except for one (very annoying) problem. I am hoping that someone here will be able to help.

I am currently using TLS, but I get the same problem when I use SSL. The problem I have is that each I connect to the IMAP server I get an error stating, “The certificate could not be verified.”

This is understandable as there is no DreamHost certificate on my phone. So I have attempted to add one as follows:

  1. First I retrieved the certificate in PEM format using the command: openssl s_client -showcerts -connect mail.dreamhost.com:465
  2. I then saved the output between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- inclusively into a file called dreamhost.pem
  3. Then I converted it to DER format using the command: openssl x509 -inform PEM -outform DER -in dreamhost.pem -out dreamhost.cer
  4. I copied this onto my phone and loaded it using the certificate manager.

My phone now has a certificated named “*.mail.dreamhost” listed in the CA tab of the certificate manager. The details of the certificate are as follows:

Name: *.mail.dreamhost
Issued to: *.mail.dreamhost.com
Issued by: New Dream Network Certificate Authority
Valid from: 00:48 12/04/2007
Valid to: 00:48 09/04/2017
Fingerprint: 6B:8C:79:AB:96:6D:70:27:7B:A8:6E:6F:82:08:59:A2:B5:B8:CC:C0

Unfortunately, I still get the same error. When I view the certificate details attached to the error message I get the following information:

Owner: localhost
Issued by: localhost
Valid from: 21:30 24/10/2005
Valid to: 21:30 24/10/2006
Fingerprint: BD:AC:49:24:E9:F6:C2:3A:0F:0C:70:65:9A:31:43:89:34:40:03:E8

So it looks to me like I have retrieved and installed the wrong certificate. Is this the case?

If so, how/where can I get the correct certificate in DER format?

If this isn’t the problem I would be grateful for any other suggestions that will rid me of this very annoying message.

Thanks,

Peter


#2

I think the problem is the certificate is for dreamhost.com, but you are getting mail from yourdomain.com. The names don’t match.

See the wiki:
http://wiki.dreamhost.com/Secure_E-mail

Regards,
Rudy


#3

I had a feeling it might be something like that, but was hoping that it wouldn’t be.

I don’t believe that there is anyway to get my phone to ignore the fact that the names don’t match.

If that’s the case I’ll either have to put up with the warning or use unencrypted access.