Certificate Installation with OpenSSL - Email Clients

Back to the guides index

Guides In This Section


Pine with TLS / SSL

Firstly, you'll need a version of pine with OpenSSL support built in. To see if your pine does this, run pine -supported and look at the Encryption: section. If it doesn't say TLS and SSL, then you'll need to get an OpenSSL enabled version.

Before continuing, you need to ensure that your OpenSSL instalation trusts the certificate of your server. If the certificate is from a non mainstream CA (eg an in-house one), or is self signed, you'll need to follow this guide to install the certificate. If you don't do this, you'll get a nasty error like this.
Oh, and if your CA isn't a top level CA (eg CA signed a cert for you, which was used as your own CA to sign the server cert), you should only need to trust one of the top level CA or your in-house CA. That said, if you hit problems doing it, try adding the second CA certificate as a trusted CA, and it might go away. In that eventuality, also submit a bug report to the OpenSSL team - you should only have to trust one of the certificates on the signing chain to trust the end certificate.

For pine to do SSL IMAP, you will need to explicitly point it at the IMAPS service (port 993 not port 143). TLS IMAP is different, as the encryption is activated over a normal IMAP session if both parties support it. With TLS IMAP, your client will connect to the standard port (143).
This may mean that on a mail server / client upgrade, your session will transparently become TLS instead of clear text.

To force SSL (not advised unless your server only does SSL and not TLS), add /ssl/ to your imap path. To force TLS, add /tls/ to your imap path. Without either of these, pine will talk clear imap to the server, but try to negotiate up to TLS if supported by the server.

Some examples:
pine -inbox-path="imap.mycompany.com/" - clear text unless TLS is supported by the server, in which case TLS used
pine -inbox-path="imap.mycompany.com/ssl" - SSL connection or die trying, won't be able to do TLS though
pine -inbox-path="imap.mycompany.com/tls" - TLS connection or die trying

For a fuller guide to pine and SSL, see the INCLUDING SSL section of the pine readme.


Note: If your mail server has a self signed certificate or one signed by a non standard CA, you'll get an error screen looking something like:

There was a failure validating the SSL/TLS certificate for the server

                            magd1113.herald.ox.ac.uk

The reason for the failure was

                unable to get local issuer certificate (details)

We have not verified the identity of your server. If you ignore this
certificate validation problem and continue, you could end up connecting
to an imposter server.

If the certificate validation failure was expected and permanent you may
avoid seeing this warning message in the future by adding the option

                                /novalidate-cert
In this case, you should not add the /novalidate-cert to your pine inbox string. Instead, you should go and install the CA / server certificate, so that pine can verify the server certificate. This is the correct fix for the pine error, telling pine to ignore the certificate validation is EBW. As soon as you have installed the certificate, the error will go away for the right reason.

Making pine do SMIME

Firstly, check that you have installed your personal certificate correctly into the OpenSSL framework.

The patch to enable SMIME support in pine is currently produced by Thorsten Glaser. Currently, new versions are posted to comp.mail.pine, and are also posted at http://mitglied.lycos.de/tygs/pub/. At the time of writing, you need both pine.smime and pine.smime.init, with the documentation in pine.smime

There is also a new patch from Martin Kouril, which integrates further into pine (such as a new SMIME option in the configuration section). This can be found at http://coud.czweb.org/w.html.


Mutt with TLS / SSL

You will need an OpenSSL enabled version of mutt. To check, run mutt -v and check +USE_SSL is listed.

If the server supports TLS, an imap:// mailbox spec will cause the session to be negotiated up to TLS Imap. To force SSL, change your imap spec to imaps:// from imap://. To force TLS, you will need to set the configuration value ssl_use_tlsv1

If in doubt, you should find README.SSL in most mutt distributions. Go look at this.


Guides Index
Written By: Nick Burch    Last modified: Wednesday, 28-Jan-2004 14:00:03 GMT
These pages are from http://www.gagravarr.org/writing/openssl-certs/
Creative Commons License This work is licensed under a Creative Commons License.