X
Tap here to go to the mobile version of the site.

Support Forum

ZTE Open C - Email SSL/STARTTLS [bad-security] - unable to establish a secure connection

Posted

I just received the ZTE Open C in mail on Friday. I am running through setting up my phone.

I cannot fetch my email because of the SSL/STARTTLS [bad-security] error. I suppose this is because of my ISP's self-signed certificate. Has a solution to this been created yet? Will it ever be fixed. If it is not, I can send my phone back to them right away and get my money back.

I just received the ZTE Open C in mail on Friday. I am running through setting up my phone. I cannot fetch my email because of the SSL/STARTTLS [bad-security] error. I suppose this is because of my ISP's self-signed certificate. Has a solution to this been created yet? Will it ever be fixed. If it is not, I can send my phone back to them right away and get my money back.

Chosen solution

Dreamhost has valid certificates. However, the certificates they have are for *.mail.dreamhost.com and will not cover your vanity domain. The correct server to use for dreamhost will be one of:

For my vanity domain "asutherland.org" which is hosted at dreamhost, I use the "dig" command to avoid having to go to their panel interface.

I type: dig mail.asutherland.org this results in:

ANSWER SECTION:

mail.asutherland.org. 14400 IN A 69.163.253.135

Then I type: dig -x 69.163.253.135 which results in:

ANSWER SECTION:

135.253.163.69.in-addr.arpa. 14400 IN PTR sub4.mail.dreamhost.com.

Which is how I know to use sub4.mail.dreamhost.com.

We do want to improve the autoconfig configuration for dreamhost. Unfortunately it will require some new development on our part unless dreamhost implements IMAP proxying so that a single IMAP server can be used.

Read this answer in context 2

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0

More Information

Andrew
  • Moderator
321 solutions 4036 answers

Hi!

It doesn't seem like this is currently supported. I'm sure if sure this feature will be supported for further versions of Firefox OS on the ZTE Open C. You can patiently wait for this feature to arrive.

This issue is being tracked in https://bugzilla.mozilla.org/show_bug.cgi?id=874346

Important: please do not comment on bug reports unless you have substantial information that benefits the working of the bug

Thanks!

Hi! It doesn't seem like this is currently supported. I'm sure if sure this feature will be supported for further versions of Firefox OS on the ZTE Open C. You can patiently wait for this feature to arrive. This issue is being tracked in https://bugzilla.mozilla.org/show_bug.cgi?id=874346 '''Important: please do not comment on bug reports unless you have substantial information that benefits the working of the bug''' Thanks!
asuth 1 solutions 11 answers

Helpful Reply

If the certificate is self-signed rather than a question of domains not lining up right, then one of the 2 work-arounds may be required:

  • Assuming the same certificate is also used on https for the server, connect to the server in the browser app and add an exception there. The email app uses the same certificate store so things will start to work.

Note that in both cases if the self-signed certificate changes, then you will need to repeat the procedures. I would also advise you to verify the certificate fingerprint using an alternate network path and to perform the whole process over a network that is less likely to be attacker-controlled.

If it's possible for you to name the domain in use, I can help determine the exact certificate problem and we can also perhaps try to help evangelize the server operator to improve their security by using valid certificates. These are currently freely available from https://www.startssl.com/?app=1 and cheap in general, so there aren't a lot of convincing reasons to use self-signed certificates.

If the certificate is self-signed rather than a question of domains not lining up right, then one of the 2 work-arounds may be required: * Assuming the same certificate is also used on https for the server, connect to the server in the browser app and add an exception there. The email app uses the same certificate store so things will start to work. * Import the certificate onto the device; this is required if the same certificate is not served via https. https://groups.google.com/d/msg/mozilla.dev.b2g/B57slgVO3TU/G5TA-PiFI_EJ Note that in both cases if the self-signed certificate changes, then you will need to repeat the procedures. I would also advise you to verify the certificate fingerprint using an alternate network path and to perform the whole process over a network that is less likely to be attacker-controlled. If it's possible for you to name the domain in use, I can help determine the exact certificate problem and we can also perhaps try to help evangelize the server operator to improve their security by using valid certificates. These are currently freely available from https://www.startssl.com/?app=1 and cheap in general, so there aren't a lot of convincing reasons to use self-signed certificates.

Question owner

asuth: The ISP is Dreamhost - www.dreamhost.com. I have a domain they are hosting, and mail.yourdomain.com is the alias. Unfortunately your first suggestion didn't work for me. But second one, if I understand you correctly, is to install ADB, then plug my phone into the system that has ADB (hopefully it will install onto OS X). Then take the PEM from Dreamhost and integrate it across the bridge.

This is my first experience with phone dev tools, Firefox OS, and Android.

Thanks

asuth: The ISP is Dreamhost - www.dreamhost.com. I have a domain they are hosting, and mail.yourdomain.com is the alias. Unfortunately your first suggestion didn't work for me. But second one, if I understand you correctly, is to install ADB, then plug my phone into the system that has ADB (hopefully it will install onto OS X). Then take the PEM from Dreamhost and integrate it across the bridge. This is my first experience with phone dev tools, Firefox OS, and Android. Thanks
asuth 1 solutions 11 answers

Chosen Solution

Dreamhost has valid certificates. However, the certificates they have are for *.mail.dreamhost.com and will not cover your vanity domain. The correct server to use for dreamhost will be one of:

For my vanity domain "asutherland.org" which is hosted at dreamhost, I use the "dig" command to avoid having to go to their panel interface.

I type: dig mail.asutherland.org this results in:

ANSWER SECTION:

mail.asutherland.org. 14400 IN A 69.163.253.135

Then I type: dig -x 69.163.253.135 which results in:

ANSWER SECTION:

135.253.163.69.in-addr.arpa. 14400 IN PTR sub4.mail.dreamhost.com.

Which is how I know to use sub4.mail.dreamhost.com.

We do want to improve the autoconfig configuration for dreamhost. Unfortunately it will require some new development on our part unless dreamhost implements IMAP proxying so that a single IMAP server can be used.

Dreamhost has valid certificates. However, the certificates they have are for *.mail.dreamhost.com and will not cover your vanity domain. The correct server to use for dreamhost will be one of: * sub3.mail.dreamhost.com * sub4.mail.dreamhost.com * sub5.mail.dreamhost.com * homie.mail.dreamhost.com For my vanity domain "asutherland.org" which is hosted at dreamhost, I use the "dig" command to avoid having to go to their panel interface. I type: dig mail.asutherland.org this results in: ;; ANSWER SECTION: mail.asutherland.org. 14400 IN A 69.163.253.135 Then I type: dig -x 69.163.253.135 which results in: ;; ANSWER SECTION: 135.253.163.69.in-addr.arpa. 14400 IN PTR sub4.mail.dreamhost.com. Which is how I know to use sub4.mail.dreamhost.com. We do want to improve the autoconfig configuration for dreamhost. Unfortunately it will require some new development on our part unless dreamhost implements IMAP proxying so that a single IMAP server can be used.
asuth 1 solutions 11 answers

And note that you can get the info from your dreamhost control panel by clicking on "Account status" in the upper right and finding the value with the label "Your Email Cluster" and applying the mapping described at http://wiki.dreamhost.com/Certificate_Domain_Mismatch_Error#Direct_server

And note that you can get the info from your dreamhost control panel by clicking on "Account status" in the upper right and finding the value with the label "Your Email Cluster" and applying the mapping described at http://wiki.dreamhost.com/Certificate_Domain_Mismatch_Error#Direct_server
asuth 1 solutions 11 answers

I have created https://bugzil.la/1012495 to track improving the Dreamhost autoconfig experience.

I have created https://bugzil.la/1012495 to track improving the Dreamhost autoconfig experience.

Question owner

@asuth How lucky I am that you use Dreamhost! Many thanks for this very specific resolution for we Dreamhost customers. I expect at some point in the future when they change my mail host without telling me, I'll be using this method you demonstrated time and again.

Also thank you for the very active and detailed support you have given me today. I'm using my email on this phone right now.

Best wishes, ectopunk

@asuth How lucky I am that you use Dreamhost! Many thanks for this very specific resolution for we Dreamhost customers. I expect at some point in the future when they change my mail host without telling me, I'll be using this method you demonstrated time and again. Also thank you for the very active and detailed support you have given me today. I'm using my email on this phone right now. Best wishes, ectopunk