warnings about bad SSL certificate when viewing mail

Created an attachment (id=3020)
text of SSL confirmation dialog

Apparently the Comodo is chain certified by a GTE CyberTrust root certificate,
rather than having their own root.

These certificates are common from sites such as <http://www.instantssl.com/>.

Thanks for your bug. What version of evolution/Ubuntu do you use? Can you make a
copy of the message about the certificate?

Hoary with Evo 2.2.1.1-0ubuntu4.

Bad SSL certificate dialog text is in the attachment.

this text seems to be a standard question, you just have to acknowlegde, don't you?

Yes, clicking Accept shows the message.

The problem is this message implies the CA is known but the certificate is bad,
which appears not to be the case.

A cautious user would not and should not click "Accept".

Why Sun chose to use https links for non-sensitive images in its newsletter is
another question, but this problem will still present itself for any other
(potentially sensitive) message using this CA.

If there are certificates missing that are widely believed to be trustworthy,
they should be added.

If I am getting this dialog for another reason, that is another bug to be
investigated.

sorry but that not clear to me. That's the message "Do you wish to accept?" from
comment #1 which is the issue? Maybe you can attach the mail to the bug? Can you
describe what happens exactly, ie:?
* open the bug
* get that dialog "text of the dialog"
* accept
* get that other dialog "text of the new dialog"

No, it's real simple.

The certificate's fingerprint is correct.
The certificate is current.
The certificate authority is legitimate.

I should never even see the first dialog.

the dialog is just here to inform that there is a certifcate, what is the issue
with that? That's not an error or a warning but just a standard dialog

The dialog text includes:
Signature: BAD

This implies that the certificate was actively checked against the certificate
authority but it did not check out.

Since the certificate is indeed correct, I am assuming that the error occurs
because Evolution does not recognize the CA.

1) Evolution should not say the certificate is BAD when it is simply UNKNOWN
(this is a separate yet-to-be-filed bug)
2) Evolution should have the Comodo certificate chain preinstalled

Do you seriously just click on OK when you get a bad certificate dialog?

Do you still have this issue with Ubuntu 5.10?

I don't have the original message enymore.

Has something changed to fix this in Breezy, or was that just a ping?

In evolution 2.6 (Ubuntu Dapper Drake), and I'm quite sure that the same
holds for the Evolution version in Breezy, one can easily add
certificates and CAs via edit -> preferences. Is that good enough for
you to call this fixed?

No. That's a useful feature, but it doesn't address the problems I raised:

If Firefox (and presumably also Thunderbird) regard the Cybertrust root as trusted, then I think Evolution should also trust it (or at least investigate trusting it).

If a certificate is valid but untrusted, the error message should say UNTRUSTED, not BAD.

I have forwarded the bug upstream.

Thank you for reporting this bug and following up on it.

I have my own mail server and my certificate is not signed by a trusted company.
The only thing I need is to have a connection tunneled through SSL.

I m pretty puzzled by the fact that Evolution ask me to accept this certificate **every time** I open evolution. There is no checkbox to say "accept permanently".

Shouldn't this be an option?

Yes, I just noticed this too. Rather annoying to have to deal with this prompt every time I start up Evolution just because I want to use SSL for my connection. :-(

For record, the offending code for certificate prompt is in evolution-data-server-1.12.0/camel/camel-tcp-stream-ssl.c:865. I would fix it, but I don't know how evolution stores settings - some certificate identifiers (probably issuer and fingerprint?) must be stored in gconf so that they are recognized on subsequent runs.

I also have a self-signed certificate for my IMAP server and I have to accept it via Evolution *every* time I start it up. Why can't we have an "accept permanently" option like Thunderbird has?

Workaround for those who use self-signed certificates:

Add your certificate in Edit-Preferences-Certificates-Authorities-Import

Have the same problem with ubuntu 8.04 using one of the most popular German email providers.

===
Issuer: <email address hidden>,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
Subject: CN=mail.gmx.net,O=GMX GmbH,L=Munich,ST=Bayern,C=DE
Fingerprint: a6:39:94:c6:f7:99:ce:b2:cb:9a:4e:00:c0:5a:2b:3f
Signature: BAD

Do you wish to accept
===

@Matthias Heiler:

1. Download the Thawte root CA file by going here:
   http://www.thawte.com/roots/index.html
you can fill out bogus information. I did :-)

2. From Evolution / Preferences / Certificates / Authorities, import a new cert file.
Use the "Thawte Server Roots / ThawtePremiumServerCA.cer" file.
This file has an MD5 hash of "069f6979166690021b8c8ca2c3076f3a"

I believe Mikel Ward has this problem well described and I repeat the gist of his comments:

a. Evolution should not say a certificate is BAD when the problem is simply that it cannot verify the certificate because it does not recognize the Issuer as trusted. It should say UNKNOWN ISSUER, UNTRUSTED ISSUER, or something similar. BAD implied it failed some integrity check.

b. I also agree Evolution ought to be using an existing trusted certificate database. Certificate validation ought to be primarily an OS function, not an application function. If Evolution wants to keep user mail certs, that is fine. But when you go around sticking root CA's in a user app, that seems a little screwy to me.

This bug persists in Hardy with Evolution 2.22.3.1, and it looks like Intrepid could have it too.

I've attached a screenshot to complement the text attachment.

This bug got fixed in the Intrepid beta. I'm getting desirable behavior from the latest Evolution 2.24.0 packages.

Seems like this bug's re-emerged recently [I'm running evolution 2.28.3 on Ubuntu 10.04LTS]. It is merely irritating to have to deal with this rather persistent popup - I wish it would go away.

Bug from 2011. Version not longer supportet.
Change status to Invalid (see gnome-bugs)