Author Topic: "SSL/TLS Connection Detected" alert always flashing on screen, won't go away  (Read 83064 times)

0 Members and 1 Guest are viewing this topic.

mac.newt

  • Guest
Thank you @tumic

iBozz

  • Guest
I've followed the above instructions and the annoying pop-ups have disappeared, but being an untechnical non-geek I have no idea whether my mail is now secure.

I don't recall this problem with earlier versions of avast! and I'm afraid that i consider that this is a backward step.

Yes, I know it's free, and very grateful I am for that, but surely the upgrade/installation should be either seamless or at least be fully explained in simple English and not in terms such as The SSL certificates required for the server authentication must be in one of the 'System Roots' or 'System' keychains before the server is added to the list which are pretty well meaningless to the technophobic user?

What happens when the current version "expires" and the application needs downloading and updating again (which has happened from time to time in the past) - will my Mail stop working because avast! has expired or perhaps continue to work but then not be secure?  Will I have to reintroduce the SSL option in Mail preferences for the dozen accounts with two different providers which I run?

A good product but let down by this over complication - please make it easier for the non-dweeb!




MacOSX.6.8, Mail v4.5 (1084), 27" quad-core i7 iMac
« Last Edit: May 28, 2012, 10:12:13 PM by iBozz »

sejtam

  • Guest
So in the mail shield, I add all the IMAP server I connect to and it then obtains their IP addresses.

But what happens should the IP addresses change in the future? Will Avast automatically detect that
and modify that list?

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
So in the mail shield, I add all the IMAP server I connect to and it then obtains their IP addresses.

But what happens should the IP addresses change in the future? Will Avast automatically detect that
and modify that list?

Currently not, but it may be added in the future. But note, that IP address changes of mailservers are very rare, so it should not be such an issue.

sejtam

  • Guest
It may be for folks who see different Ip addresses when inside/outside their company LAN (DNS returns different IP) or where the mail provider attempts to provide some level of 'global load balancing' by returning differenyt IPs (for different locations, or to direct traffic differently based on load)

iBozz

  • Guest
Well, after changing the SSL settings as advised earlier, all the amber alerts disappeared.

However, when checking my email the following morning, I got a series of red alerts which said something along the lines that mail couldn't be collected because the servers needed SSL security - sorry, I was so hacked off that i didn't record the actual words.

Accordingly, I checked the SSL box for each mail account and downloaded my emails - but got the series of amber alerts yet again.

So, wanting neither a series of amber alerts or red alerts, which seem the only options, i've uninstalled avast! and will wait for a new version which hasn't tried too hard to be clever.

I'm not a geek, so I want a solution which will install and operate without any technical input (such as changing SSL settings when I don't have much real idea of what they are or what the implications may be) from me - like Sophos, clamXav or iAntivirus, all of which instal with little or no fuss.

Sorry avast!, this update seems a retrograde step to me.

hatchjaw

  • Guest
Having the same issue as iBozz, I believe. SSL is disabled in Mail on all my incoming mailservers; I added these servers to the avast! mail shield SSL list.

The Gmail accounts I'm checking seem to be fine, but I get the following screen-full of warnings from other accounts:



Meanwhile in /var/log/system.log I'm getting lines like:

Code: [Select]
Jun  7 18:15:48 xxxxx proxy[1506]: No common name matching host name (xxxxxxxx.outlook.com) found in peer certificate!
Jun  7 18:15:48 xxxxx proxy[1506]: Certificate verification failed: SSL_get_verify_result(): self signed certificate
Jun  7 18:15:50 xxxxx proxy[1506]: Certificate verification failed: SSL_get_verify_result(): unable to get local issuer certificate

So I guess I need SSL certificates and I need them to be in the right place. Where do I get the certificates from and where do I put them? As you can see, one account is trying to access a mail server that's running outlook (forgive me if some of my terminology is inaccurate here; this is not my area of expertise); there are four accounts that are associated with a website I have hosted by Dreamhost.

Any help much appreciated.

Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
So I guess I need SSL certificates and I need them to be in the right place. Where do I get the certificates from and where do I put them?

The right place are the "System roots" and "System" keychains. For most servers, the certification authority certificate is already present in the "System Roots" keychain, if not, you have to import it to the "System" keychain. And where to get them? From the cryptographic point of view, you should obtain the certificate via a "trusted channel" like on a flash disk from the system administrator, but the common way is to download it from the certification authority website/mail server provider website. You can also get it directly from a connection to the server, for example by executing the command:

Code: [Select]
openssl s_client -connect your.mailserver.com:993
and storing the certificate

Code: [Select]
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

as a .cer file.

Note, that there may be special tools for that if you are not familiar with the command line.

hatchjaw

  • Guest
Many thanks for your reply. I took your advice and got hold of the certificates I needed by ssl-ing into the servers I needed through the command line.

Unfortunately, I think I'm falling foul of this problem: http://wiki.dreamhost.com/Certificate_Domain_Mismatch_Error
While Dreamhost provides advice as to how to get around certificate domain mismatch errors, the other email providers I use aren't so helpful. In any case, changing the hostname in Mail for my Dreamhost-based email accounts didn't stop the error messages.

Your instructions were clear, and following them has given me an improved understanding of the problem, but until this gets considerably more straightforward to set up in avast, I have no option but to reinstate SSL on my accounts in Mail and turn off the avast mail shield.


Offline tumic

  • Avast team
  • Advanced Poster
  • *
  • Posts: 723
changing the hostname in Mail for my Dreamhost-based email accounts didn't stop the error messages.

You have to put the correct hostname (the hostname that is in the server's certificate) to the avast mailshield preferences (and remove the old entry!). Changing the hostname in the client does not affect anything as the mailshield is now the component which is "doing" SSL/TLS.

hatchjaw

  • Guest
Thank you; this helped. Since I haven't been able to establish the correct hostname for some of my accounts, I've left SSL on for them in Mail (so I get warnings), but my other accounts are being monitored correctly (I assume!) by the avast mail shield. It's a start!

Offline huanito

  • Newbie
  • *
  • Posts: 8
The message is trying to say (the popup messages will be much more informative in the next beta release): "The avast! mailshield can not check your mail traffic because it is encrypted" and appears every time your mail client connects to the server. The solution is not to switch the popup verbosity to "errors and alerts only", but to disable SSL in your mail clients configuration and set it up in the avast! mailshield configuration.

This way the avast! mailshield will be able to check the mail traffic and your connection to the server will remain encrypted.

 I downloaded the user manual
http://files.avast.com/files/documentation/quick-start-guide-v7-free-eng.pdf
to get more information about this and searched it for ssl, tls and mail (separately) and got zero hits.
I am wondering where I can find documentation on this? Thanks

hatchjaw

  • Guest
Agreed; documentation on this matter is sorely lacking.

Gmail has spontaneously started giving me problems again:



This is in spite of the following:

I have added imap.gmail.com to my SSL list in the mail shield preferences:



I have deactivated SSL in Mail for my Gmail account:



And the Equifax certificate authority that I understand covers Gmail is in the System Roots in my Keychain:




I can only be doing something wrong, but what is it? Any help much appreciated.

Offline huanito

  • Newbie
  • *
  • Posts: 8
I see that a reverse DNS on that gives

 # hostx imap.gmail.com
imap.gmail.com          CNAME   gmail-imap.l.google.com
gmail-imap.l.google.com A       173.194.79.108
gmail-imap.l.google.com A       173.194.79.109


So I wonder if you need to put for the server   gmail-imap.l.google.com rather than imap.gmail.com

and if that works it will solve my issue too...maybe



oops I see it might get even more complicated:
# hostx  173.194.79.108
Name: pb-in-f108.1e100.net
Address: 173.194.79.108

and 
# hostx  173.194.79.109
Name: pb-in-f109.1e100.net
Address: 173.194.79.109

wonder how to tell what is on the SSL cert as the server name?
beats me!
« Last Edit: June 15, 2012, 02:52:22 AM by huanito »

hatchjaw

  • Guest
Thanks, huanito; putting gmail-imap.l.google.com in my SSL list in the mail shield preferences actually got Gmail behaving again for me.