SSL/TLS connection detected!

[tumic]

This was fixed several versions ago (avast! has now openssl libraries included in the bundle).

But this has nothing to do with missing certificates on your machine. However, you can always
get the certificate from the SSL connection itself, for example by issuing a SSL connection to the
mail server with openssl:

Code: [Select]

openssl s_client -connect your.imap.server.com:993
and save the certificate from the output:

Code: [Select]

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

to a .cer file and then import it to the system keychain.

But note, that from the the cryptography point of view, this is wrong, as you can not trust
the certificate.

[white-note]

Hello tumic.

Thanks for your fast Reply.

To be honest: I don't know how to execute your tips.

What I don't understand is:
I did a fresh install on my Macbook today (downloaded Mountain Lian from Apple), did a clean install with Microsoft Office 2011 (installed SP1), and downloaded Avast today.

So, everything is the latest version.

If this was fixed, why don't I have the certificates on my Mac?
I didn't installed any back ups, so that can't be the problem..

I would hate to uninstall Avast, as I think it's very good software, i use it on my Android as well.

[tumic]

If this was fixed, why don't I have the certificates on my Mac?

The certificates of the most common certification authorities (CA) are part of Mac OS X and are maintained by Apple. This means that for the most "big" servers like gmail, yahoo or hotmail, the certificates are present on your system. However, if you use a server with a self signed certificate or a server signed by a not so common CA, the certificate will be missing, and you have to obtain it by your self.

What email (IMAP) server are you connecting to?

[white-note]

On my Mac I use only gmail.
So the server is imap.gmail.com, and smtp.gmail.com

[Tonin_US]

Hi,

I've installed Avast yesterday and I got orange "SSL/TLS Connection detected box". So, I tried to follow the instructions... Uncheck the SSL box in the Mail app and add the server (gmail, so I assume it is imap.gmail.com) to the Avast preference shield.

My issue is that I cannot do that. Each time I try to add the gmail server, I get a message that tells that Avast can not connect the server? (I try to be sure that imap.gmail.com is copy into System in the chain keys).



What shall I do?

Thanks in advance.

[white-note]

Exact my problem...

If I can't solve this, I'm gonna try Bitdefender instead....
I really don't understand that this has to be so difficult.
(Hoping the problem is in the program instead of in me....)

[badgerit]

Hi,

I've followed the instructions as best I can, and now Mail doesn't download my messages from gmail.

It can see the messages and starts trying to download them, and then the data transfer rate drops down to 0 KB/s and nothing happens.

If I tick the SSL box in mailbox account preferences it downloads the messages fine, but then I get the pop up.

Is 'password' the correct security setting?

Thanks,

Rebecca

[hschumi]

Hi,

I've installed Avast yesterday and I got orange "SSL/TLS Connection detected box". So, I tried to follow the instructions... Uncheck the SSL box in the Mail app and add the server (gmail, so I assume it is imap.gmail.com) to the Avast preference shield.

My issue is that I cannot do that. Each time I try to add the gmail server, I get a message that tells that Avast can not connect the server? (I try to be sure that imap.gmail.com is copy into System in the chain keys).



What shall I do?

Thanks in advance.

Exactly the same problem here. Avast! Could you PLEASE provide some instructions how to add the imap.gmail.com server to the list of SSL-servers.

[Katrachin]

I have the same problem of you colleagues

the solution proposed at first before work, I use it on OSX lion a few months ago.

now install OSX 10.8.2 ML from scratch and download the latest version of avast for mac, with the results that you explained.

I noticed in this version of avast, the default value for error alerts on SSL / TLS conection: is disabled.

then no alerts appear, but email shield does not work. So more new users may experience the problem without knowing it.

for now i disable the use of SSL on mail, so the shield can scan. But lose the benefit of encryption on the connection.

[sejtam]

I have the same issue on a newly installed avast! for mac.

when I try to add  imap.gmail.com, I get the error "Error verifying mail server"
and the same for imap.googlemail.com

**** HOWEVER ****

When I then try adding my corporate email server, that verifies OK *and* then both it *and* the imap.gmail.com server
that was reportedly not verifyiable shows up with IP addresses in the list.

**WTF**?

So now the unverified imap.gmail.com is listed as if it had been verified. Thus avast will now think that server
verified even if that was not possible?

(or is it that it was in fact verified, but it just failed to be added to the list and the wrong error shown?
In either case, I have *NO TRUST*  in that anymore...

Trying to verify it again afterwards still fails.

This is with Avast 7.0 (37781)

[sejtam]

i raised a support ticket on this (the fact that servers that were not verified were added along with a later verified server to the SSL list, as if they had passed verification)..

https://support.avast.com/index.php?_m=tickets&_a=viewticket&ticketid=3027537

[tumic]

When you add imap.gmail.com to the list of SSL servers, multiple IP addresses are added to the list and each of them is verified. If one of the addresses fails to verify, you get the error window, but all passed addresses are added to the list. I confess, that this is a little bit confusing and one may even consider it an error.

So what probably happens for all of you that get the "verification error" message is, that you have broken IPv6 in your network and verification of imap.gmail.com fails on IPv6 (you get its IPv6 address from DNS, but can not access it). If you post here the system log entries, we can prove this.

[sejtam]

When you add imap.gmail.com to the list of SSL servers, multiple IP addresses are added to the list and each of them is verified. If one of the addresses fails to verify, you get the error window, but all passed addresses are added to the list. I confess, that this is a little bit confusing and one may even consider it an error.

Might be, but I'd like to see proof of that.

So what probably happens for all of you that get the "verification error" message is, that you have broken IPv6 in your network and verification of imap.gmail.com fails on IPv6 (you get its IPv6 address from DNS, but can not access it). If you post here the system log entries, we can prove this.

IPv6 is turned off in the [ MailShield / Advanced /General tab ].
I have nly the normal site-local addresses configured, nothing else anyway
I also ran a tcpdump looking for the v6 address reported for imap.gmail.com (2607:f8b0:4003:c02::6c) but nothing is shown either

Where do i find the specific system log?

[sejtam]

Ah ok, the normal 'system.log' logs;

Dec  7 11:02:31 matjes-Mac-mini-2.local System Preferences[47850]: 995: The operation couldn<E2><80><99>t be completed. (OSStatus error -9807.)
Dec  7 11:02:32 --- last message repeated 1 time ---
Dec  7 11:02:32 matjes-Mac-mini-2.local System Preferences[47850]: 995: The operation couldn<E2><80><99>t be completed. No route to host
Dec  7 11:02:32 matjes-Mac-mini-2.local System Preferences[47850]: 993: The operation couldn<E2><80><99>t be completed. No route to host

which of course does not hold sufficient info to even link it to the avast SSL check, so I missed it earlier.

It seems to be stupid of avast to try something via v6 when v6 is turned off ( have turned off and on the mail shield to see if that makes it recognize to not try v6, but no luck. there seems to be no way to totally unload avast for a fresh restart (other than a reboot).)

[sejtam]

and even rebooting the mac after turning off Iv6 did not help this.
This is definitely a bug, as none of the (allegedly verified addresses) would be added unless one successfully added another server later...