Yahoo Plus Mail

NOTE: This issue has been resolved to my satisfaction, see the next post for details.

I posted yesterday about an SSL error I was getting while trying to connect to a mail server. The error hasn’t gone away, and I now see that others are also seeing problems. So I figured I’d post what I’ve done in my attempts to get a handle on what’s going on.

I’ve done a number of things to try and verify what I’m connecting to and if the error is valid or possibly a bug in fetchmail. I’m leaning more towards “valid” at the moment. Here’s what I’ve done.

First, I’ve used an online cert checker to try and verify the certificate. I’ve used an online source because it’s unlikely to use the same routing as my computer here. The site verifies the certificate for plus.pop.mail.yahoo.com:995 and reveals the following fingerprint:

SHA1 Fingerprint=DE:1D:15:16:AE:0A:6A:37:16:64:DE:05:6D:66:21:94:90:F6:92:94

Incidentally, the IP it connects to is 67.195.135.187.

I then used the openssl command to see what I would get from my system. The command:

openssl s_client -connect plus.pop.mail.yahoo.com:995 -CApath /etc/certs

The certificate verified. For a further check, I then copied the certificate portion to a file and extracted the fingerprint to compare with the one the online checker returned. The command:

openssl x509 -noout -in yahooplus.pem -fingerprint

The resulting fingerprint matched the one from the online checker.

When fetchmail encounters the error, the certificate it returns is using the common name pop.mail.yahoo.com. So for kicks and giggles, I repeated the above steps on that particular server, again port 995. The certificate verified and all results from my computer matched results from the online checker. Here’s the resulting fingerprint:

SHA1 Fingerprint=12:F7:B1:69:C0:16:89:21:2A:37:8A:75:71:75:E3:5A:58:8E:11:C4

Here’s the fingerprint that fetchmail returns when the common name error occurs:

Fingerprint=1A:DB:9F:FE:D8:33:3E:08:C5:3E:7B:9C:31:FE:09:4A

If I ping the name plus.pop.mail.yahoo.com the IP returned in the ping is 206.190.53.40, and if I ping pop.mail.yahoo.com the IP returned is 206.190.53.11. Performing a whois on the IP’s and comparing them reveals differences, but I can’t say it’s anything conclusive.

One other observation is that the common name in the valid certificate from Yahoo uses a wildcard: *.pop.mail.yahoo.com. I originally thought that the error source may be a result of that. Given the other stuff I’ve found, I now think it’s unlikely.

UPDATE: AHH! Ok, a mistake on my part. The fingerprint that fetchmail uses is the MD5 fingerprint, not the SHA1 fingerprint. So my openssl command should read:

openssl x509 -noout -in yahooplus.pem -md5 -fingerprint

The results from this make everything a little less sinister. The MD5 fingerprint for the plus server:

MD5 Fingerprint=F6:0D:A4:CA:91:A9:AC:88:4C:BF:D6:70:02:61:87:86

and for the plain old pop server:

MD5 Fingerprint=1A:DB:9F:FE:D8:33:3E:08:C5:3E:7B:9C:31:FE:09:4A

Which matches the fingerprint returned in the error scenario. So it seems to be some kind of name resolution snafu where “plus.pop.mail.yahoo.com” gets resolved to the same server as “pop.mail.yahoo.com” which has a different certificate, thus the error.