SSL issues after 4.4

[turbanator]

Upgrade from 4.3 to 4.4 and now all my SSL connections error:
SSL connection failed (certificate failed: unable to get local issuer certificate (20))
(the ones where ssl is from let's encrypt (my own servers)
and
SSL connection failed (certificate failed: self signed certificate (18))
where my email server is self signed (also my own but different servers)

help please.

[Jeff]

Self-signed certificates are not secure, so you'll need to add an exception for these servers:
- From POP Peeper's main menu, select Tools / PPtweaker
- Select the "Certificates" page
- Add each server's name to the list (one server per line)
- Press OK

As for Let's Encrypt:
I don't believe that Windows includes the Root CA's for LetsEncrypt by default.
Could you try opening the Let's Encrypt website using *Internet Explorer* or *Edge* (using MS-based browsers should update the Windows certificates that PP uses):
https://letsencrypt.org/
And then check POP Peeper again.

If that doesn't work, again using IE/Edge,open:
http://www.identrust.com/
And then check PP again.

Let me know which one of those URLs worked. If neither of those worked, let me know that, too, and you can add the servers to the exceptions in the mean-time to get going again.

[Jeff]

I misspoke -- Let's Encrypt *is* included in Windows by default:
https://community.letsencrypt.org/t/whi ... crypt/4394
As long as you have Vista+ (and maybe XP-SP3 with extra work).

[turbanator]

Excellent as always. I added all servers as exceptions.
Thank you for a fine product and support.
Rupi

[Jeff]

Unfortunately, doing so does bypass the purpose of having a signed certificate. I emailed you, so if you want to pursue the problem, I would be willing and interested in assisting you.

[lwc]

Some things I've noticed:

1. The error message for this issue is cut off in the relevant account's settings:

   

   Cut off message

   error.png (4.61 KiB) Viewed 9861 times

2. PpTweaker has no help for:
   1. What will happen if I turn off "Enable local SSL certificate verification". Will it use a remote verification? If not, maybe it should be rephrased to "Enable (local) SSL certificate verification".
   2. Should I turn on "Enable hostname matching"? Is there any benefit?

      

[Jeff]

Re: Let's Encrypt -- A solution is pending and will be posted upon confirmation. If anybody else has a similar problem (with Let's Encrypt or any other SSL certificate), please let me know!



lwc -- The error displayed in the account is not intended to be the primary reference for errors. Press the yellow '!' button on the status bar or File/Error-overview from the main menu.

Regarding the help -- This is one of the reasons I decided to link to the online faq instead of putting the documentation directly into the local help file -- because I knew it was a work in progress requiring possibly-frequent updates

If you disable local SSL certificate verification, then PP won't do any checks. It's not as secure.

"Hostname matching" is another step up in security. I would recommend enabling it, and if you have any errors, deal with them.

It was a tough choice, but I decided to disable this feature by default because I knew it would cause even more issues on top of the certificate-verification option. I think that the faq explains the potential issues and how to fix it, but let me know if you run into any problems and/or if you think that the faq can be improved.

[lwc]

If you're looking to test a server that needs an exception, try the free gmx.net - both POP and IMAP need an exception.

As for "local", as mentioned maybe rename it to "(local)". Without brackets (like now) it implies there's also a remote option.
Maybe make PpTweaker's help link to the FAQ like you said.
I know the error is more detailed in the log. Maybe write something like "error: more info in the log".

[Jeff]

If you're looking to test a server that needs an exception, try the free gmx.net - both POP and IMAP need an exception.

I believe that gmx.net is only free if you live in Germany. However, I don't need an account to check the SSL status. I may have a solution for this, I'll get back.

As for "local", as mentioned maybe rename it to "(local)". Without brackets (like now) it implies there's also a remote option.

I see your point, but I'm not sure using parens would clarify it. I decided to just remove the word "local".

Maybe make PpTweaker's help link to the FAQ like you said.

It does...? If you press F1, it opens the help which -- in its entirety -- is:
"
PpTweaker: Certificates
Please refer to the following FAQ for the most up-to-date information regarding SSL certificate verification:
http://www.esumsoft.com/products/pop-pe ... ?q=sslcert
"

[Jeff]

Ok, regarding gmx.net: my primary Win7 already had the appropriate certificate in the Windows certificate store, so I didn't have a problem there, but it was not in my Win10 test machine. So I've added the certificate to the list of certificates that PP will include by default.

You can download the latest file here:
https://data.esumsoft.com/files/cacert.pem
-> right-click and "save as" the file
(note that certificate files should ONLY be downloaded over a secure connection)

Place this file in the following folder:
{POPPeeper-Install-Folder}\SslCerts\
e.g. C:\Program Files (x86)\POP Peeper\SslCerts\
-> Since "Program Files" is protected, it may be necessary to save the file somewhere else (e.g. on your desktop) and then manually move the file to the correct location.

Note that the "SslCerts" folder may or may not exist. If it already exists, it's ok to overwrite the existing cacert.pem file.
It shouldn't be necessary to restart POP Peeper.

[lwc]

Maybe make PpTweaker's help link to the FAQ like you said.

It does...? If you press F1, it opens the help which -- in its entirety -- is:

When I click help inside PpTweaker I just get PP's general help, not the online FAQ.

[mjs]

When I click help inside PpTweaker I just get PP's general help, not the online FAQ.

In the PPtweaker interface window select "Certificates" and then press F1 or the "Help (F1)" button.

This will open the Help page where in the case of "Certificates" there is a link to FAQ for this specific help topic. Other tab selections will be directed toward the relevant Help page for the tab selected when pressing F1 or the "Help (F1)" button.

In regards to the "Certificates" tab this is what Jeff was posting of which the bottom part (in quotes) is specifically what you will see on the "Certificates" help page:

Maybe make PpTweaker's help link to the FAQ like you said.

It does...? If you press F1, it opens the help which -- in its entirety -- is:
"
PpTweaker: Certificates
Please refer to the following FAQ for the most up-to-date information regarding SSL certificate verification:
http://www.esumsoft.com/products/pop-pe ... ?q=sslcert
"

[lwc]

Turns out the F1 issue was because I had to enter POPPeeper.chm's properties and click to unblock.

I believe that gmx.net is only free if you live in Germany. However, I don't need an account to check the SSL status. I may have a solution for this, I'll get back.p

Back when I registered there, it was open to everyone as long as you dealt with the German...
But just reporting that you indeed got it working in 4.4.2 (probably already in 4.4.1), thanks!

I see your point, but I'm not sure using parens would clarify it. I decided to just remove the word "local".

It seems PPTweaker wasn't updated to 4.4.1/2, so it's still there.

[Jeff]

It seems PPTweaker wasn't updated to 4.4.1/2, so it's still there.

What's ironic is that when I compiled v4.4.2, I had accidentally selected "rebuild entire project" instead of just rebuilding poppeeper.exe, smtp.dll and imap.dll (what I thought were the only files affected by v4.4.2) and I had to copy the original files back in, including PPtweaker.dll. Had I just left well enough alone, it would have gotten the text change...