Invalid or untrusted server SSL certificate

[GaryParr]

I have an Exchange IMAP connection setup through ZDesktop. Since the last upgrade (today) I am unable to send mail on this connection. I checked the account settings and when I click Validate and Save I get an error message about an Invalid or untrusted server SSL certificate.

I'm not using SSL on either the incoming or outgoing connection.

Is there anything going on here that I can do quickly to resolve this?

[jjzhuang]

You obvious are using SSL. If you click on the (detail) link when you see the error message, it will show you the SSL certificate.

[GaryParr]

Really?

Use SSL encryption when accessing this server is un-checked
Use SSL encryption when sending mail is un-checked

I must be an idiot, because to me it is not obvious that I'm using SSL.

And where is this "detail" link to display the SSL certificate? Are you sure you are talking about Zimbra Desktop?

[colker]

Your reply is not helpful. Furthermore, it's not very nice: "You obvious are using SLL." Don't be so confident unless your software works correctly (which it doesn't).

I am having the same problem as GaryParr, and the "Use SSL encryption when accessing this server" and "Use SSL encryption when sending mail" checkboxes are both "obvious" unchecked. Please research this problem before insinuating that we are both doing something wrong. It would be very appreciated. Thank you.

[GaryParr]

And to boot... you have added a feature that STOPS a product from working in a manner in which people have become accustomed to it working. End users do not care that an SSL certificate is wrong. That is a problem for the mail server admin. You would expect an option to ignore the error and continue anyway. That way at least the user could e-mail the mail server admin and let them know that there is a problem.

[bobby]

What version of Zimbra Desktop are you guys running? Is it zdesktop_0_92_build_1415? On what OS?

[bobby]

OK nm I just reproduced this (on zdesktop_0_92_build_1415) with tcpdump running. Desktop is issuing starttls; that's why it's encountering the certificate warning. JJ will be able to tell us if there is a preference for disabling this.

[GaryParr]

Thanks for looking into this Bobby. As a reference, I'm running .92 build 1418 on Linux. Any work around such as changing a config setting would be appreciated.

[jjzhuang]

could you please send me a screenshot of the error message you see? it sounds like your imap or smtp server is doing STARTTLS, which is a variation of SSL in that the connection is first established over plain socket and then negotiated into a secure channel. Please also include zdesktop.log right after it fails.

We are required to enforce this as it's considered a security risk. Please understand that you are using beta software so thing will get changed. We'll try to do our best to provide workarounds.

In this case, the easiest workaround is to add a key to <install>/conf/localconfig.xml:

<key name="data_source_trust_self_signed_certs">
<value>true</value>
</key>

then restart desktop server.

[colker]

jjzhuang, thank you for the workaround. I haven't had a chance to try it yet. Did GaryParr send you a screenshot and the logfile? If not, I will try to send you it tomorrow. Just let me know.