On Sunday, 21 January 2024 16:09:47 GMT Walter Dnes wrote: > On Sun, Jan 21, 2024 at 12:05:45PM +0000, Michael wrote > > > Anyway, to take you forward you can: [snip ...] > Nothing above works, and I wonder if it's something at my end. I keep > getting the same message... > > > gnutls_handshake: A packet with illegal or unsupported version was > > received. > The current net-libs/gnutls-3.8.0 ebuild (and 3.8.1 and 3.8.2) has > sslv2 and sslv3 enabled in IUSE ...but... "emerge -pv gnutls" shows > them hard-masked. Is my system forcing sslv1 and the server rejecting me??? > > [ebuild R ] net-libs/gnutls-3.8.0:0/30.30::gentoo USE="cxx idn nls > openssl seccomp tls-heartbeat tools zlib -brotli -dane -doc -examples > -pkcs11 (-sslv2) (-sslv3) -static-libs -test (-test-full) -verify-sig > -zstd" 0 KiB > > Do you get the same? Do I have to set something in... > > make menuconfig > -*- Cryptographic API ---> > > "emerge -pv mutt" > > [ebuild R ] mail-client/mutt-2.2.12::gentoo USE="debug gnutls gpgme > hcache imap lmdb mbox nls pop sasl smtp ssl -autocrypt -berkdb -doc -gdbm > -gsasl -idn -kerberos -pgp-classic (-prefix) -qdbm (-selinux) -slang > -smime-classic -tokyocabinet -vanilla" 0 KiB > > I copied certificates from x.txt to .mutt/certificates (see > attachment). Is this correct? And how do I securely pass credentials? Starting from the end; to securely pass credentials you need an encrypted connection to the server. For SMTP server authentication this normally takes place using STARTTLS on port 587, or explicit TLS typically on port 465 or port 25 depending on your mail provider. Your locally stored certificate chain should be in multiple .pem files, one for each certificate. Normally only the Root CA is needed since this was used to sign all its children certificates in the chain. In the first instance just store in your ~/.mutt/certificates/ directory the Root CA certificate, to see if mutt accepts it without gnutls complaining. In your attachment you have 4 certificates: 1. The certificate used by the SMTP server (a wildcard ebox.ca domain certificate): Subject: CN = *.ebox.ca which is issued by "CN = Go Daddy Secure Certificate Authority - G2". 2. The "Go Daddy Secure Certificate Authority - G2" was in turn issued by "CN = Go Daddy Root Certificate Authority - G2". 3. The "CN = Go Daddy Root Certificate Authority - G2" was issued by "OU = Go Daddy Class 2 Certification Authority". 4. Finally, the last certificate "OU = Go Daddy Class 2 Certification Authority" is the self-signed Root CA. This is the certificate you could copy into your ~/.mutt/certificates/. A copy of this certificate should be available in your /etc/ssl/certs/, so you could copy it and also hash it: cp /etc/ssl/certs/Go_Daddy_Class_2_CA.pem ~/.mutt/certificates/ cd ~/.mutt/certificates/ ln -s Go_Daddy_Class_2_CA.pem `openssl x509 -hash -noout -in Go_Daddy_Class_2_CA.pem`.0 Please note the backticks in the above. If this still won't work, have you considered ditching gnutls on mutt and trying with vanilla openssl? $ emerge -pv mutt These are the packages that would be merged, in order: Calculating dependencies... done! Dependency resolution took 23.29 s (backtrack: 0/20). [ebuild N ] mail-client/mutt-2.2.12::gentoo USE="gdbm hcache imap lmdb nls sasl smtp ssl -autocrypt -berkdb -debug -doc -gnutls -gpgme -gsasl -idn - kerberos -mbox -pgp-classic -pop (-prefix) -qdbm (-selinux) -slang -smime- classic -tokyocabinet -vanilla" 5432 KiB $ emerge -pv gnutls These are the packages that would be merged, in order: Calculating dependencies... done! Dependency resolution took 1.45 s (backtrack: 0/20). [ebuild R ] net-libs/gnutls-3.8.0:0/30.30::gentoo USE="cxx idn nls openssl seccomp tls-heartbeat zlib -brotli -dane -doc -examples -pkcs11 (- sslv2) (-sslv3) -static-libs -test (-test-full) -tools -verify-sig -zstd" ABI_X86="(64) -32 (-x32)" 0 KiB It may be the openssl is more accommodating for Root CAs using SHA1 and will allow the connection to complete.