Sunday 14 November 2010

Ipad update and more problems with mail and SSL.

Well, I know a few people did not like how negative the last entry was, however I do not really think that anyone really disagrees!

The fact is, I love using the Ipad, and it is great for viewing PDFs/Ebooks, browsing the internet and emails - Which I did a lot on Friday/Saturday (and it was a joy to use), but after that, it is just a big Ipod/Iphone and I can not really see any "extra" benefits, if anyone wants to prove me wrong or say why you like it so much, please feel free.

Anyway, now a little update about the email problem.... and a bit more technical.

My setup here is basically a bog standard mail server that uses the standard SMTP, POP3 and IMAP ports, in addition, I have port 26 for Secure SMTP and 144 for Secure IMAP.... This is in addition to ports 465 for secure SMTP and 993 for Secure IMAP which the Ipad uses as default.

The reasons for alternate secure ports is simply down to the fact a few clients had problems connecting through some ISPs that blocked. It is not really the point, AFAIK, this should not affect anything as you can configure the ports on the Ipad.

The SSL / secure ports are set in the mail server using a self signed certificate with no chain. The mail server itself was the root of this certificate. In addition, this certificate is installed on any client machines that allows it, this includes a mix of Windows, Linux and Mac machines, as well as Iphones, Blackberrys, Nokias and a bunch of other devices. Apart from one Mac machine about a week ago, there has never been any problems connecting to the server.

Now comes the tricky bit!

I found the Iphone configuration utility (Works for Ipods and Ipads!). It is a brilliant tool that allows you to see a console log of the device


I used wireshark to try and understand what is going on at a deeper level. It seems that the Ipad tries to do some "funky" stuff and if the server either does not allow SSL or has a standard certificate, there is no problem. If however you have a self signed/single chain certificate, it fails.

I tried installing the certificate, it installs without problem, but the mail just doesn't seem to work.

Next, I always wanted to have a proper signed root certificate that I can sign other certificates against - for a brief time I used the Microsoft solution but that was a while ago. I just wanted a very small easy solution, so I used OpenSSL.

I created my root certificate, distributed it to all client devices, and created a new certiicate for the mail server (with the new root in the chain). When I applied the root certificate, it worked!

In this time, I also created a new SSL certificate for my intranet, website and a few other things.

I did this on Thursday night, and I was so happy - not only did I finally have my own root certificate configured, I got mail on my Ipad!!! Everything was fast and good - it worked just as you would expect.

When I went to a business event on Friday/Saturday, everything was perfect, (even connected well to my Microsoft VPN Server). I was using the web browser and mail the entire time and I cannot say how much I enjoyed it (which being from Apple, I am ashamed to say!).

Coming home, I was feeling a little tired so stopped at a service station for a little rest (and a quick email check!) - This time it was a public WIFI point. Again, after getting a little confused by the BT Opezone sign on system (I don't like the way Ipad opens up the page, and if you cancel, it disconnects... I found it a little weird, but I want to investigate it later), it worked fine.

Then I got home yesterday and the real fun begun. Over the trip, I must of connected to about 9 wifi points that I will never use again. One of my hates over all IOS devices is that there is no option to delete old WIFI points, so I chose the "Reset Network Settings" option... BIG MISTAKE.

(Additional Problem here, but one I can live with - even if you have a profile set that includes a WIFI SSID and code, it will keep the profile "installed" but will wipe the code - you need to retype. I can see this being a problem in enterprises as unless you have a 3G device, or reconnect it (via wire) to the configuration utility you will have to manually type it.)

Now comes the big problem - for some unknown reason, since then, MY MAIL STOPPED WORKING AGAIN.

The log shows:


I have tried everything I can imagine, deleting and reapplying the email account and the root certificate have not helped at all.

But, things get even worse now - I performed the same "reset network settings" option to the Ipod Touch here, and now it as well can no longer connect to the mail server (either unencrypted or encrypted).

In addition to this, it just appears that the root certificate does not get applied correctly - It is too hard to explain/show via Mail, so using Safari, I can show the following pictures.

Picture speak a thousand words, so here is something that I hope may help someone to help me...

Visiting an Intranet site with the Root certificate installed, or removed produces this:


Clicking details with the root installed: - Note the "Not Trusted".


Clicking on "Details" with the root removed :


Profile showing that the root is installed:



Using Safari and browsing to the certificate with the root installed (notice that it is trusted):


Using Safari and browsing to the certificate with the root removed:



Please note that even if I specifically install the certificate, it still does not work - this is not relevant as installing the root is all that should be necessary.

The last two are exactly as I expect it should work, I just can't explain the second picture - It knows the root, but isn't verifying.

This time, I have no idea. Because of all my previous problems, I can only conclude that SSL on the Ipad (and possibly other IOS devices) simply does not work as it should.

Oh - and, final note, Apple support are completely and utterly useless... their solution - "You can set up a Gmail account and forward your emails there"... When I tried to ask about SSL in particular, they put me on hold whilst they check... After the call was on for about 10 minutes, they hung up. Next call, I spoke to an idiot. Apple really do not make it easy for someone to try to like them...

I have tried reporting this, ask for help/feedback, but I am just getting no where. If anyone wants an email account on one of my servers, the public root certificate, a link to an SSL site protected by the root, or anything - I am happy to help if you think you can help!

13 comments:

  1. having same problem on ipad and on iphone
    decided its a problem with APPLE - not the devices

    Even went ahead and restored ipad to factory setting to see if it was device issue -- latest software and all and not working

    ReplyDelete
  2. I'm trying to do something similar - routing the iPads HTTP(S) traffic through Fiddler.
    Fiddler essentially performs a SSL man-in-the-middle attack to decrypt the content of the HTTPS sessions.
    On Windows you have to install the root Fiddler certificate and everything is working fine.
    On the iPad I'm having similar problems as you - the root certificate is installed correctly but I'm still getting certificate errors.
    This also happens after upgrading to iOS 4.2.1

    ReplyDelete
  3. In a quick paced world, even understudies are searching for speedy courses with a specific end goal to fund their school examines. Considering in school requests a lot of time and cash. Customarily, it's hard for understudies to adjust time amongst study and work and this is the primary motivation behind why there are not very many working understudies. payday loans san-diego

    ReplyDelete
  4. Meanwhile, borrowers are taking a gander at all of their choices to work out an arrangement to reimburse their understudy advance. Understudy advance obligation union has turned into a broadly utilized alternative for lower regularly scheduled installments and applying for credit absolution programs. The Department of Education is attempting to get borrowers out of default and into reasonable installment programs. check cashing san-diego

    ReplyDelete
  5. You ought to dependably consider that payday advances are not methods of standard individual financing. These sorts of advances can be very costly if not paid on time. The rollover cost prompts to an upward winding that can make installment untenable. payday loans

    ReplyDelete

  6. Awesome ad! There's certainly no mistrust the fact that considerably more. amazing interest chiefly anytime plans to use those material. Notable file! My best institution is certainly consequently shocked. May perhaps meant for hardly any factor look at an exceedingly suggestion is certainly feasible for it all. It is my opinion you now contain a tremendous working experience predominantly regardless that transitions implementing these sorts of consumers. As of late go here stubhub fees Keep it up first-class position.

    ReplyDelete
  7. مؤسسة تطهير خزانات المياه بالعاصمة السعودية
    ما هو النظافة المطلوبة لتطهير خزانات المياه على نحو آمن
    يستعرض متخصصون مؤسسة تطهير خزانات مستوى النظافة التي يلزم أن تكون عليها خزان المياه بهدف ضمان سلامة المياه لأجل أن لا تكون مصدرًا للأوبئة والأمراض وهذا لأن تطهير الخزان أمر لازم ولا مفر من المراعاة به لصحتك، وهو ما يتم شركة النجوم لرش المبيدات
    شركة تنظيف فلل بجدة
    شركة تنظيف بيوت بجدة
    شركة تنظيف شقق بجدة

    ReplyDelete
  8. Truly, this article is really one of the very best in the history of articles. I am a antique ’Article’ collector and I sometimes read some new articles if I find them interesting. And I found this one pretty fascinating and it should go into my collection. Very good work!.SattaMatka 143

    ReplyDelete
  9. Good website! I truly love how it is simple on my eyes and the data are well written. I am wondering how I could be notified whenever a new post has been made. I’ve subscribed to your feed which must do the trick! Have a nice day! watch youtube videos without ads

    ReplyDelete
  10. I have tried reporting this, ask for help/feedback, but I am just getting no where. If anyone wants an email account on one of my servers, the public root certificate, a link to an SSL site protected by the root, or anything - I am happy to help if you think you can help!

    ReplyDelete