[gentoo-user] [OT] Strange behaviour of google certificates.

[gentoo-user] [OT] Strange behaviour of google certificates.

[Gevisz]

[-- Attachment #1: Type: text/plain, Size: 921 bytes --]

This question does specifically relates to Gentoo distribution
but, as far as I have not subscribed to any other mailing list,
I dare to ask it here.

So, I am using Claws Mail that downloads e-mails from several
google mail accounts (all are mine :) and about once or twice
in a month get into the situation when Claws asks me to verify
and change the google certificates, first in one direction and
soon after that (usually during the next downloading of my e-mails)
- in another.

The situation is illustrated by the 2 message screenshots that are
attached to this e-mail.

The strange thing for me is that, first, the Claws asks me to verify
and accept a newer certificate complaing that the old one is in some
aspect "bad", and soon after that it complains about a newer certificate
and asks me to verify and and accept the older one.

I suspect that it is google that makes something wrong here.

What do you think?

[-- Attachment #2: certificate_question.xcf --]
[-- Type: image/x-xcf, Size: 225320 bytes --]

[-- Attachment #3: certificate_question_2.xcf --]
[-- Type: image/x-xcf, Size: 229854 bytes --]

Re: [gentoo-user] [OT] Strange behaviour of google certificates.

[Mickaël Bucas]

2015-04-01 19:19 GMT+02:00 Gevisz <gevisz@gmail.com>:
> This question does specifically relates to Gentoo distribution
> but, as far as I have not subscribed to any other mailing list,
> I dare to ask it here.
>
> So, I am using Claws Mail that downloads e-mails from several
> google mail accounts (all are mine :) and about once or twice
> in a month get into the situation when Claws asks me to verify
> and change the google certificates, first in one direction and
> soon after that (usually during the next downloading of my e-mails)
> - in another.
>
> The situation is illustrated by the 2 message screenshots that are
> attached to this e-mail.
>
> The strange thing for me is that, first, the Claws asks me to verify
> and accept a newer certificate complaing that the old one is in some
> aspect "bad", and soon after that it complains about a newer certificate
> and asks me to verify and and accept the older one.
>
> I suspect that it is google that makes something wrong here.
>
> What do you think?

Hi Gevisz

I had a similar behavior with another tools : offlineimap
It seems that Google changes certificates very often and/or uses
different certificates on different connections

For offlineimap, the solution is to use an option to check certificates :
sslcacertfile = /etc/ssl/certs/ca-certificates.crt

Maybe there is an option to do the same in Claws Mail.
I found "Bug 2199 - Claws doesn't propery verify certification chain"
[1] which affected a GMail user.
It's fixed, so you may find what's been done.

Best regards

Mickaël Bucas

[1] http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2199

Re: [gentoo-user] [OT] Strange behaviour of google certificates.

[wabenbau]

Gevisz <gevisz@gmail.com> wrote:

> This question does specifically relates to Gentoo distribution
> but, as far as I have not subscribed to any other mailing list,
> I dare to ask it here.
> 
> So, I am using Claws Mail that downloads e-mails from several
> google mail accounts (all are mine :) and about once or twice
> in a month get into the situation when Claws asks me to verify
> and change the google certificates, first in one direction and
> soon after that (usually during the next downloading of my e-mails)
> - in another.
> 
> The situation is illustrated by the 2 message screenshots that are
> attached to this e-mail.
> 
> The strange thing for me is that, first, the Claws asks me to verify
> and accept a newer certificate complaing that the old one is in some
> aspect "bad", and soon after that it complains about a newer
> certificate and asks me to verify and and accept the older one.
> 
> I suspect that it is google that makes something wrong here.
> 
> What do you think?

Im using fetchmail on a separate server to receive my mail. I had to
deactivate fetchmails ssl fingerprint checks for my google accounts,
because the certificates are changing frequently. I don't know the
reason for these changes but as I use my google accounts only for some
mailing lists and because I'm a lazy guy I don't care much about that
and never done a research.

But please tell me if you find out the reason. :-)

--
Regards
wabe

Re: [gentoo-user] [OT] Strange behaviour of google certificates.

[Gevisz]

On Wed, 1 Apr 2015 23:41:55 +0200 Mickaël Bucas <mbucas@gmail.com> wrote:

> 2015-04-01 19:19 GMT+02:00 Gevisz <gevisz@gmail.com>:
    Correction: 
    This question does *not* specifically relates to Gentoo distribution
> > but, as far as I have not subscribed to any other mailing list,
> > I dare to ask it here.
> >
> > So, I am using Claws Mail that downloads e-mails from several
> > google mail accounts (all are mine :) and about once or twice
> > in a month get into the situation when Claws asks me to verify
> > and change the google certificates, first in one direction and
> > soon after that (usually during the next downloading of my e-mails)
> > - in another.

Actually it does it for every gmail account and at different times.
So, yesterday, I "veryfied" google certificates *a lot* of times.

> > The situation is illustrated by the 2 message screenshots that are
> > attached to this e-mail.
> >
> > The strange thing for me is that, first, the Claws asks me to verify
> > and accept a newer certificate complaing that the old one is in some
> > aspect "bad", and soon after that it complains about a newer certificate
> > and asks me to verify and and accept the older one.
> >
> > I suspect that it is google that makes something wrong here.
> >
> > What do you think?
> 
> Hi Gevisz
> 
> I had a similar behavior with another tools : offlineimap
> It seems that Google changes certificates very often and/or uses
> different certificates on different connections

Probably, but why they do it?

> For offlineimap, the solution is to use an option to check certificates :
> sslcacertfile = /etc/ssl/certs/ca-certificates.crt
> 
> Maybe there is an option to do the same in Claws Mail.
> I found "Bug 2199 - Claws doesn't propery verify certification chain"
> [1] which affected a GMail user.
> It's fixed, so you may find what's been done.
> 
> Best regards
> 
> Mickaël Bucas
> 
> [1] http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=2199

Thank you for the link. I will study it later, in the evening.

Re: [gentoo-user] [OT] Strange behaviour of google certificates.

[Gevisz]

On Thu, 2 Apr 2015 04:17:40 +0200 <wabenbau@gmail.com> wrote:

> Gevisz <gevisz@gmail.com> wrote:
> 
> > This question does specifically relates to Gentoo distribution
> > but, as far as I have not subscribed to any other mailing list,
> > I dare to ask it here.
> > 
> > So, I am using Claws Mail that downloads e-mails from several
> > google mail accounts (all are mine :) and about once or twice
> > in a month get into the situation when Claws asks me to verify
> > and change the google certificates, first in one direction and
> > soon after that (usually during the next downloading of my e-mails)
> > - in another.
> > 
> > The situation is illustrated by the 2 message screenshots that are
> > attached to this e-mail.
> > 
> > The strange thing for me is that, first, the Claws asks me to verify
> > and accept a newer certificate complaing that the old one is in some
> > aspect "bad", and soon after that it complains about a newer
> > certificate and asks me to verify and and accept the older one.
> > 
> > I suspect that it is google that makes something wrong here.
> > 
> > What do you think?
> 
> Im using fetchmail on a separate server to receive my mail. I had to
> deactivate fetchmails ssl fingerprint checks for my google accounts,
> because the certificates are changing frequently. I don't know the
> reason for these changes but as I use my google accounts only for some
> mailing lists and because I'm a lazy guy I don't care much about that
> and never done a research.

Thank you for the reply. So, I am not alone. :)

> But please tell me if you find out the reason. :-)

Ok, but I am far not an expert on networking. 

Re: [gentoo-user] [OT] Strange behaviour of google certificates.

[Walter Dnes]

On Wed, Apr 01, 2015 at 08:19:45PM +0300, Gevisz wrote

> So, I am using Claws Mail that downloads e-mails from several
> google mail accounts (all are mine :) and about once or twice
> in a month get into the situation when Claws asks me to verify
> and change the google certificates, first in one direction and
> soon after that (usually during the next downloading of my e-mails)
> - in another.
> 
> The situation is illustrated by the 2 message screenshots that are
> attached to this e-mail.
> 
> The strange thing for me is that, first, the Claws asks me to verify
> and accept a newer certificate complaing that the old one is in some
> aspect "bad", and soon after that it complains about a newer
> certificate and asks me to verify and and accept the older one.
> 
> I suspect that it is google that makes something wrong here.
> 
> What do you think?

  The same question came up on the local linux user group here in
Toronto.  Apparently "pop.gnail.com" is actually 2 servers...

[d531][waltdnes][~] nslookup pop.gmail.com
Server:         206.248.154.170
Address:        206.248.154.170#53

Non-authoritative answer:
pop.gmail.com   canonical name = gmail-pop.l.google.com.
Name:   gmail-pop.l.google.com
Address: 173.194.192.108
Name:   gmail-pop.l.google.com
Address: 173.194.192.109

  The 2 servers probably have different certificates, which is why you
get this behaviour.  I suggest going into "apk mode" and putting an
entry into your hosts file <G>, like...

173.194.192.108     pop.gmail.com

  This will force your system to always use the same server, and avoid
the re-validation every time you hit the other server from the one you
used the previous time.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-user] [OT] Strange behaviour of google certificates.

[Gevisz]

On Thu, 2 Apr 2015 03:52:40 -0400 "Walter Dnes" <waltdnes@waltdnes.org> wrote:

> On Wed, Apr 01, 2015 at 08:19:45PM +0300, Gevisz wrote
> 
> > So, I am using Claws Mail that downloads e-mails from several
> > google mail accounts (all are mine :) and about once or twice
> > in a month get into the situation when Claws asks me to verify
> > and change the google certificates, first in one direction and
> > soon after that (usually during the next downloading of my e-mails)
> > - in another.
> > 
> > The situation is illustrated by the 2 message screenshots that are
> > attached to this e-mail.
> > 
> > The strange thing for me is that, first, the Claws asks me to verify
> > and accept a newer certificate complaing that the old one is in some
> > aspect "bad", and soon after that it complains about a newer
> > certificate and asks me to verify and and accept the older one.
> > 
> > I suspect that it is google that makes something wrong here.
> > 
> > What do you think?
> 
>   The same question came up on the local linux user group here in
> Toronto.  Apparently "pop.gnail.com" is actually 2 servers...
> 
> [d531][waltdnes][~] nslookup pop.gmail.com
> Server:         206.248.154.170
> Address:        206.248.154.170#53
> 
> Non-authoritative answer:
> pop.gmail.com   canonical name = gmail-pop.l.google.com.
> Name:   gmail-pop.l.google.com
> Address: 173.194.192.108
> Name:   gmail-pop.l.google.com
> Address: 173.194.192.109
> 
>   The 2 servers probably have different certificates, which is why you
> get this behaviour.  I suggest going into "apk mode" and putting an
> entry into your hosts file <G>, like...
> 
> 173.194.192.108     pop.gmail.com
> 
>   This will force your system to always use the same server, and avoid
> the re-validation every time you hit the other server from the one you
> used the previous time.

Thank you for your advice. Added that line to my /etc/hosts file.
After that Claws asked to verify the google certificate once again,
but I hope that that was the last time this month and that that madness
with google certificates finally ends. (Because in the last 2 days this
situation repeated at least 20 or more times.)

[gentoo-user] Re: [OT] Strange behaviour of google certificates.

[James]

Walter Dnes <waltdnes <at> waltdnes.org> writes:


> > So, I am using Claws Mail that downloads e-mails from several
> > google mail accounts (all are mine :) and about once or twice
> > in a month get into the situation when Claws asks me to verify
> > and change the google certificates, first in one direction and
> > soon after that (usually during the next downloading of my e-mails)
> > - in another.

> > I suspect that it is google that makes something wrong here.
> > What do you think?

>   The 2 servers probably have different certificates, which is why you
> get this behaviour.  I suggest going into "apk mode" and putting an
> entry into your hosts file <G>, like...

> 173.194.192.108     pop.gmail.com

>   This will force your system to always use the same server, and avoid
> the re-validation every time you hit the other server from the one you
> used the previous time.


Clusters & Clouds are the sort answer. Everybody (big) is now racing to
deploy services; often as if a single IP or dns record or domain name,
yet underneath is a cluster of many, many machines. The security is,
well, let's just say evolving to be kind. I have no idea about your
particular situation; but I've been reading up on cluster and cloud
for months now, so here are a few links you might find interesting.
Hopefully that illuminate that services that are traditionally single
machine bound, are now on top of clusters of machines; and that is
a hack-a-day-patch-away scenario that is very fast moving. YMMV [1,2,3].


Mesos is the cluster technology that I follow (or at least try to).
I'm trying to get a full set of codes and mesos into the portage tree.
If nothing else, folks can use (3+) old machines to build a cluster
to see where we are all moving to (clouds and cluster), like it or not,
imho.


hth,
James

[1] https://mesosphere.github.io/mesos-dns/docs/tutorial-gce.html

[2] https://github.com/mesosphere/mesos-dns

[3] https://github.com/Banno/vagrant-mesos

[4]
http://radar.oreilly.com/2014/01/apache-mesos-open-source-datacenter-computing.html

Re: [gentoo-user] [OT] Strange behaviour of google certificates.

[bitlord]

On Thu, 2 Apr 2015 11:57:26 +0300
Gevisz <gevisz@gmail.com> wrote:

> On Thu, 2 Apr 2015 03:52:40 -0400 "Walter Dnes"
> <waltdnes@waltdnes.org> wrote:
> 
> > On Wed, Apr 01, 2015 at 08:19:45PM +0300, Gevisz wrote
> > 
> > > So, I am using Claws Mail that downloads e-mails from several
> > > google mail accounts (all are mine :) and about once or twice
> > > in a month get into the situation when Claws asks me to verify
> > > and change the google certificates, first in one direction and
> > > soon after that (usually during the next downloading of my
> > > e-mails)
> > > - in another.
> > > 
...
> > 
> >   The 2 servers probably have different certificates, which is why
> > you get this behaviour.  I suggest going into "apk mode" and
> > putting an entry into your hosts file <G>, like...
> > 
> > 173.194.192.108     pop.gmail.com
> > 
> >   This will force your system to always use the same server, and
> > avoid the re-validation every time you hit the other server from
> > the one you used the previous time.
> 
> Thank you for your advice. Added that line to my /etc/hosts file.
> After that Claws asked to verify the google certificate once again,
> but I hope that that was the last time this month and that that
> madness with google certificates finally ends. (Because in the last 2
> days this situation repeated at least 20 or more times.)
> 
> 


By looking at the screenshoots that is >=claws-mail-3.10.x (I think
that is the version when it got support for validating certificate
chains)? There is a option in Configuration > Edit Accounts ... then
for every account you have "SSL" options, you can check to accept
"unknown valid certificates" so it will do it automatically, won't ask
if there is a new certificate and it is valid. 

Re: [gentoo-user] [OT] Strange behaviour of google certificates.

[Gevisz]

On Fri, 3 Apr 2015 08:26:12 +0200 bitlord <bitlord0xff@gmail.com> wrote:

> On Thu, 2 Apr 2015 11:57:26 +0300
> Gevisz <gevisz@gmail.com> wrote:
> 
> > On Thu, 2 Apr 2015 03:52:40 -0400 "Walter Dnes"
> > <waltdnes@waltdnes.org> wrote:
> > 
> > > On Wed, Apr 01, 2015 at 08:19:45PM +0300, Gevisz wrote
> > > 
> > > > So, I am using Claws Mail that downloads e-mails from several
> > > > google mail accounts (all are mine :) and about once or twice
> > > > in a month get into the situation when Claws asks me to verify
> > > > and change the google certificates, first in one direction and
> > > > soon after that (usually during the next downloading of my
> > > > e-mails)
> > > > - in another.
> > > > 
> ...
> > > 
> > >   The 2 servers probably have different certificates, which is why
> > > you get this behaviour.  I suggest going into "apk mode" and
> > > putting an entry into your hosts file <G>, like...
> > > 
> > > 173.194.192.108     pop.gmail.com
> > > 
> > >   This will force your system to always use the same server, and
> > > avoid the re-validation every time you hit the other server from
> > > the one you used the previous time.
> > 
> > Thank you for your advice. Added that line to my /etc/hosts file.
> > After that Claws asked to verify the google certificate once again,
> > but I hope that that was the last time this month and that that
> > madness with google certificates finally ends. (Because in the last 2
> > days this situation repeated at least 20 or more times.)
> > 
> > 
> By looking at the screenshoots that is >=claws-mail-3.10.x (I think
> that is the version when it got support for validating certificate
> chains)? There is a option in Configuration > Edit Accounts ... then
> for every account you have "SSL" options, you can check to accept
> "unknown valid certificates" so it will do it automatically, won't ask
> if there is a new certificate and it is valid. 

Thank you for your advice but I do not want to accept certificates
unverified and automatically and do not mind verifying a new goggle
certificate once a month or so. However, I do not want to see a madness
when my e-mail client asks me to verify the certificates that I have
already verified over and over again (as described above).

Sticking to only one gmail server, as advised by Walter,
so far solved the problem.

I write "so far" because there is a (very small) probability that
the madness ended by itself (because usually it took place not always
but at some periods when one gmail server already switched to a new
certificate and another one still uses the old certificate, I guess).

So, I have to wait one or two months (until they start to switch to
even more new certificate) to see how my e-mail client will react. 

Re: [gentoo-user] Re: [OT] Strange behaviour of google certificates.

[Gevisz]

On Thu, 2 Apr 2015 15:57:20 +0000 (UTC) James <wireless@tampabay.rr.com> wrote:

> Walter Dnes <waltdnes <at> waltdnes.org> writes:
> 
> 
> > > So, I am using Claws Mail that downloads e-mails from several
> > > google mail accounts (all are mine :) and about once or twice
> > > in a month get into the situation when Claws asks me to verify
> > > and change the google certificates, first in one direction and
> > > soon after that (usually during the next downloading of my e-mails)
> > > - in another.
> 
> > > I suspect that it is google that makes something wrong here.
> > > What do you think?
> 
> >   The 2 servers probably have different certificates, which is why you
> > get this behaviour.  I suggest going into "apk mode" and putting an
> > entry into your hosts file <G>, like...
> 
> > 173.194.192.108     pop.gmail.com
> 
> >   This will force your system to always use the same server, and avoid
> > the re-validation every time you hit the other server from the one you
> > used the previous time.
> 
> 
> Clusters & Clouds are

the cause of problems. :)

But thank you for the links. I will look at them later.

> the sort answer. Everybody (big) is now racing to
> deploy services; often as if a single IP or dns record or domain name,
> yet underneath is a cluster of many, many machines. The security is,
> well, let's just say evolving to be kind. I have no idea about your
> particular situation; but I've been reading up on cluster and cloud
> for months now, so here are a few links you might find interesting.
> Hopefully that illuminate that services that are traditionally single
> machine bound, are now on top of clusters of machines; and that is
> a hack-a-day-patch-away scenario that is very fast moving. YMMV [1,2,3].
> 
> 
> Mesos is the cluster technology that I follow (or at least try to).
> I'm trying to get a full set of codes and mesos into the portage tree.
> If nothing else, folks can use (3+) old machines to build a cluster
> to see where we are all moving to (clouds and cluster), like it or not,
> imho.
> 
> 
> hth,
> James
> 
> [1] https://mesosphere.github.io/mesos-dns/docs/tutorial-gce.html
> 
> [2] https://github.com/mesosphere/mesos-dns
> 
> [3] https://github.com/Banno/vagrant-mesos
> 
> [4]
> http://radar.oreilly.com/2014/01/apache-mesos-open-source-datacenter-computing.html
> 
> 
> 
> 
>