6

Since recently, my Claws Mail client pops up a message "SSL/TSL certificate changed" every time it tries to connect to my gmail account (at pop.gmail.com), with two options: "Cancel connection" and "Accept and Save". I use accept and save, but after 5 minutes the situation repeats. I know I can set skip_ssl_cert_check=1 in the configuration file clawsrc, but I don't fully understand security implications for that. What is particularly strange for me, googling on this pop-up message yields absolutely nothing, as if I am the first Claws and gmail user to encounter this problem. I use Claws version 3.16.0, ported in Windows 10, if that helps.

Maximko
  • 193
  • 1
  • 5
  • Do you know if Claws uses the certificate store of the OS or has its own certificate store like Firefox? – Ramhound Jun 20 '18 at 14:02
  • No idea. There is a menu item under Tools called SSL/TSL certificate, where I can see the saved certificates and their attributes (signature, expiration,...), but where they are stored is not obvious from there. – Maximko Jun 20 '18 at 14:21
  • You need to figure out the answer to my question – Ramhound Jun 20 '18 at 15:22
  • For anyone curious about *why* Google change their certificate ever so often (once a month according to some sources), it seems to have to do with "forward secrecy": https://security.googleblog.com/2011/11/protecting-data-for-long-term-with.html – Sundar R Mar 07 '21 at 18:08

1 Answers1

4

To get rid of this annoying repeated message, click on Configuration -> Preferences for Current Account, then click on SSL/TLS and SCROLL DOWN that panel to reveal some hidden checkboxes. Check the box labelled "Automatically accept valid SSL/TLS certificates" and clear the box labelled "Use non-blocking SSL/TLS." It took me forever to realize there were additional settings at the bottom of this panel.

Rey Lefebvre
  • 56
  • 2
  • 1
    Well, in my Claws Mail, I perfectly see those checkboxes right away when I open the SSL-config page :) But again, if I swap their check-states as you suggest, I do not fully understand security implications. After all, if this makes no difference in security and at the same time does not bother a user with SSL-question pop-ups, why is it not the default state? – Maximko Feb 05 '19 at 17:42
  • `Configure -> Edit Accounts` Under each account, the index is `SSL` and it's the last item. – shawnhcorey Mar 13 '19 at 16:52