Google POP3 certificate problem and Thunderbird

Last night I noticed my hosted Google mail accounts filling up with messages. Usually my email client at work drains all the new messages into its inbox, meaning my web account empties as quickly as messages come in. When I got into the office this morning I found it was Thunderbird complaining of a certificate problem — Thunderbird was connecting to pop.googlemail.com but getting an expired certificate from cpop.corp.google.com.

Working together with Malcolm, we were able to track this down to an issue where the servers report the wrong certificate, if and only if there’s a TLS server_name extension in the initial handshake packet. Only Thunderbird seems to send this; viewing the port via curl or Internet Explorer didn’t have the issue. Thanks to Wireshark for the tip-off. A build of the latest OpenSSL shows this up:

openssl s_client -msg -debug \
        -servername pop.googlemail.com -tlsextdebug \
        -connect 66.249.93.16:995

Malcolm’s reported a bug to Google, and we’re hoping it’s a quick fix. In the meantime, there’s a workaround for Thunderbird. If you go to Tools->Options, then the Advanced page and click the “Config Editor”, you can disable TLS (and therefore the TLS extension). Type “tls” into the box and uncheck the “security.enable_tls” option.

Hopefully it’ll be fixed soon!

Update 4pm : this issue is now confirmed fixed by Google. Quick work there!

Filed under: Blog
Posted at 12:02:00 GMT on 4th December 2007.

About Matt Godbolt

Matt Godbolt is a C++ developer working in Chicago in the finance industry.