POP Peeper and SSL Hostname matching

[Miki]

Good morning,

updated now to versione 4.5.2 and (as read on history) many account give me errors:

- Fix: Hostname matching (aka SNI) is now enabled by default; this improves security and is required by Avast/AVG for Gmail; this may cause some email accounts that are not configured correctly (as specified by the email provider) to error; this potential error condition will only affect email hosted on personal domains (see: https://www.esumsoft.com/products/pop-p ... memismatch)

With the FAQ I have fixed many accounts, ma for 2 accounts not so easy discover the certificate's hostname

2 way to get it:

1) easy and simple: SSL Checker on site

2) easy but don't simple: OpenSSL command line:
openssl s_client -showcerts -connect pop.vodafone.it:993

---
---
Certificate chain
0 s:/C=GB/ST=Berkshire/L=Newbury/O=Vodafone Group Services Limited/OU=IT/CN=imap.vodafone.it
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

On some particular case the server hostname don't match the server communicated by the provider and
don't match the server discovered automatically by POP Peeper

Question: should be possible on the account creation/editing detect if the hostname match the server certificate?
Or a way to discover it automatically?
Or get more detailed informations like hostname certificate on the Server Info?
Now on the Server Info there are only generic informations:

[vodafone.it - xyz]

Messages: -4
Server size: 0 bytes
Mem size: 0 bytes
File size: 0 bytes

Last DB Maint (global): 09/12/18 03:30:08 (1 days)

Last success: -
Last error: 09/13/18 13:29:26 (6 minutes ago)
- Connessione SSL fallita (è stato caricato il Plugin SSL?) (certificate failed: Specified server does not match hostname in certificate [hostname mismatch])
Consecutive errors: 3

CAPABILITIES:


SSL Certificate Information:
Error: Specified server does not match hostname in certificate [hostname mismatch]

Regards

Miki

[Jeff]

First things first:

openssl s_client -showcerts -connect pop.vodafone.it:993

You're using the POP3 hostname with the IMAP port number. The POP3 port is 995. In this case of vodafone.it (and many other servers, but this is not a general rule), when you use the above you're actually connecting to the imap server. So the certificate is for imap.vodafone.it and you're going to get a mismatch because you requested pop.vodafone.it.

So assuming that you're actually trying to use IMAP in POP Peeper and those are the values that you're using, you need to change the server to:
imap.vodafone.it


The best way to get the proper hostname is from your email service provider. They will (should) always tell you what the proper hostname to use is.

I suppose another option (without having to use openssl.exe) would be to:
1) temporarily disable "hostname matching" in PP
2) (change your login/password to something fake if you're not on a secure connection; invalid login won't matter for this)
3) Connect to the account
4) Refer to the details in "server info" to get the correct hostname

Just something worth mentioning -- the value presented in the certificate may include wildcards.

On some particular case the server hostname don't match the server communicated by the provider and don't match the server discovered automatically by POP Peeper

Can you let me know what such case that was for (where POP Peeper discovered a server that didn't match correctly)? I tested vodafone for pop3 and imap and it found the correct one (pop.vodafone.it and imap.vodafone.it). (Note that vodafone.it is not in the mozilla isp database, nor do they have their own mail configuration publicly available, so PP had to fall-back to the brute-force discovery mode.)

Or get more detailed informations like hostname certificate on the Server Info?

I did try to get this information, but I have to admit that I could not figure out how to obtain it for a failed connection. OpenSSL does not return a certificate to POP Peeper in the event that the verification fails; and without a certificate, POP Peeper cannot expose any information about the correct hostname. As I'm writing this, it occurs to me that there may be a way to do it if PP doesn't set OpenSSL to do the hostname verification automatically but does it as an extra step (which I think exists); however, I'm not sure that this is ideal either.

[Jeff]

The website that you (Miki) originally linked to check the SSL certificates is:
https://www.sslshopper.com/ssl-checker.html
(the link had been removed so that it could be reviewed)

This looks like a very useful utility and it's much easier to use than OpenSSL command-line. Thumbs up!