Archived Forum Post

Index of archived forum posts

Question:

Imap Connect ignore certificate

Oct 22 '14 at 10:15

Using the apple email account setup program on the iphone, I can successfully connect to an exchange server which has an invalid certificate. I am prompted that the certificate is invalid, but can select that I am happy to continue.

Using the chilkat IMAP api I would like to achieve the same effect for my own email client. Can I somehow provide an option to the imap Connect method where I can set the /novalidate-cert flag for example, or is there a better way?


Answer

I haven't tried this myself, but the following 2 properties look interesting:

RequireSslCertVerify If 1, then the FTP2 client will verify the server's SSL certificate. The certificate is expired, or if the cert's signature is invalid, the connection is not allowed. The default value of this property is 0.

SslServerCertVerified Read-only property that returns 1 if the IMAP server's digital certificate was verified when connecting via SSL / TLS.

(Note to Chilkat - there appears to be a copy & paste error in the IMAP documentation for RequireSslCertVerify as it mentions FTP2 instead of IMAP).

I think you could set RequireSslCertVerify to 1, then attempt to connect. If the connection fails, check if the SslServerCertVerified property is 0. If so, prompt the user to confirm if they want to connect anyway. If they do want to connect, set the RequireSslCertVerify property to 0 and connect again (it should now work even with the bad certificate).


Answer

Hi thanks for the response,

Unfortunately, i am not really having any luck - the connection appears to timeout due to a connection rejected.I can connect with the apple email client, or indeed by a web browser - I do of course get the certificate error message.

If Chilkat doesn't validate the SSL certificate by default anyway - something strange is happening with the connection rejection because I am not setting the flag to perform the validation.

CkoImap *imap = [[CkoImap alloc] init];
    BOOL success;
    imap.KeepSessionLog = YES;
    imap.VerboseLogging = YES;
    imap.Ssl = ssl;
    imap.Port = [[NSNumber alloc] initWithInt:993];
    imap.ConnectTimeout = [[NSNumber alloc] initWithInt:300];
    success = [imap Connect:@"mail.architectusbrisbane.com.au"];

ChilkatLog: Connect_Imap(75436ms): DllDate: Oct 2 2014 ChilkatVersion: 9.5.0.44 Architecture: Little Endian; 64-bit Language: IOS Objective-C VerboseLogging: 1 connectToImapServer(75436ms): hostname: mail.architectusbrisbane.com.au port: 993 socket2Connect(75436ms): connect2(75436ms): hostname: mail.architectusbrisbane.com.au port: 993 ssl: 1 connectImplicitSsl(75436ms): connectSocket(75436ms): domainOrIpAddress: mail.architectusbrisbane.com.au port: 993 connectTimeoutMs: 300000 connect_ipv6_or_ipv4(75436ms): Single-threaded domain to IP address resolution AddrInfoList: AddrInfo: ai_flags: 0 ai_family: 2 ai_socktype: 1 ai_protocol: 6 ai_addrlen: 16 ai_canonname: (NULL) --AddrInfo --AddrInfoList connecting to IPV4 address... ipAddress: 203.174.129.122 connect(75265ms): Waiting for the connect to complete... getsockopt indicates an error. socketErrno: 60 socketError: Operation timed out --connect --connect_ipv6_or_ipv4 --connectSocket pmConnect failed. --connectImplicitSsl ConnectFailReason: Connection rejected --connect2 --socket2Connect failReason: 7 --connectToImapServer connect failed. --Connect_Imap --ChilkatLog


Answer

All Chilkat client-to-server communications begin with establishing a TCP socket connection. This applies to all protocols: FTP, SSH, IMAP, SMTP, POP3, HTTP, etc. and it makes no difference whether SSL/TLS is used or not. The initial step is to establish a TCP connection (IPv4 in this case, but IPv6 is also supported), and the destination (target) is an IP address and port. If a domain name is provided, such as "mail.architecturebrisbane.com", then this is resolved to an IP address first. It all boils down to a simple call to the "connect" system call (see http://linux.die.net/man/2/connect ) If SSL/TLS or SSH is used to secure the connection, then this happens after the initial TCP connection.

If the initial connect fails, then it can be for some of the following reasons. (It is not reasonable to suspect a defect within the Chilkat code regarding the ability to establish the initial TCP connection.)

  1. No server is listening at the remote host:port.
  2. A firewall, either software or hardware, located on either the client or server-side, is blocking the connection. Software firewalls can allow "known programs" access, but block others.
  3. Anti-virus can block connections.

If you have other software that seems to connect to the same host:port, such as FileZilla, Outlook, the Apple Email program, PuTTY, etc., then it's likely not doing what you think it's doing. For example, maybe the program is using a proxy, or maybe the email client is using POP3 and not IMAP. My only suggestion is to look more closely at the given app to see exactly what it is doing.