"Performing SSL/TLS handshake for session 7. Verify certificate: False"

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
mickyzac
New user
New user
Posts: 3
Joined: 2024-05-22 19:34

"Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by mickyzac » 2024-05-22 19:43

I have only sub domainservice.

I installed self-signed .crt to hMailserver, and on operation looks good.
However the log says

"Performing SSL/TLS handshake for session 7. Verify certificate: False"

Is there NO way to use TLS1.2 for self-signed ?
Why hMailserver does " Verify certificate: False"?

Do I have to use Let's Encrypt?

Thank you for your help

User avatar
jim.bus
Senior user
Senior user
Posts: 1618
Joined: 2011-05-28 11:49
Location: US

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by jim.bus » 2024-05-22 21:29

Using a FREE LET'S ENCRYPT CERTIFICATE would be better and they generally are recognized as legitimate certificates.

However, the Log message you read is not an 'error'. It is merely stating that hMailserver didn't verify the certificate of the receiving server which may simply be because the receiving server doesn't have a certificate. The receiving server isn't required to have a certificate to have a successful connection. Encryption is only established if the receiving server supports encryption with protocols that both support. Verifying the receiving server merely means the certificate of the receiving server is valid.

See this Documentation: https://www.hmailserver.com/documentati ... nce_ssltls
If you think you understand quantum mechanics, you don't understand quantum mechanics.

palinka
Senior user
Senior user
Posts: 4591
Joined: 2017-09-12 17:57

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by palinka » 2024-05-22 22:28

jim.bus wrote:
2024-05-22 21:29
It is merely stating that hMailserver didn't verify the certificate of the receiving server which may simply be because the receiving server doesn't have a certificate.
No, that's a setting for hmailserver - enabled or not enabled: settings > advanced > SSL/TLS > Verify remote server SSL/TLS certificates

palinka
Senior user
Senior user
Posts: 4591
Joined: 2017-09-12 17:57

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by palinka » 2024-05-22 22:33

mickyzac wrote:
2024-05-22 19:43
Is there NO way to use TLS1.2 for self-signed ?
It should and probably is working for you.
Why hMailserver does " Verify certificate: False"?
See above. However, beware of that because some remote servers may have incorrectly configured certificates that will cause a failure. This includes gmail because they issue their own root cert that is probably not installed on your server.
Do I have to use Let's Encrypt?
No, but jim.bus is right - you should. Why not? its easy and free and accepted by 99.99999% of mail servers.

User avatar
jim.bus
Senior user
Senior user
Posts: 1618
Joined: 2011-05-28 11:49
Location: US

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by jim.bus » 2024-05-22 23:04

palinka wrote:
2024-05-22 22:28
jim.bus wrote:
2024-05-22 21:29
It is merely stating that hMailserver didn't verify the certificate of the receiving server which may simply be because the receiving server doesn't have a certificate.
No, that's a setting for hmailserver - enabled or not enabled: settings > advanced > SSL/TLS > Verify remote server SSL/TLS certificates
That setting you refer to is what I was writing about. When that setting is checked then hMailServer will attempt to verify the certificate of the receiving email server. If there is no certificate then hMailserver will not be able to verify the certificate. I have that setting selected and I get 'Verify remote server: False' Log entries all the time which means the Remote (Receiving) Server doesn't have a certificate or the certificate is not valid, etc.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

User avatar
jim.bus
Senior user
Senior user
Posts: 1618
Joined: 2011-05-28 11:49
Location: US

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by jim.bus » 2024-05-22 23:09

You will be able to see what Encryption protocol hMailServer is using by checking the Log Entry which you should find stating that the 'TLS/SSL handshake completed'. it is usually right after the 'Verify certificate' Log Entry. This Log Entry will tell you which TLS Encryption you are using. Too see these Log Entries make sure you've enabled all your Logs.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

palinka
Senior user
Senior user
Posts: 4591
Joined: 2017-09-12 17:57

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by palinka » 2024-05-22 23:15

jim.bus wrote:
2024-05-22 23:04
palinka wrote:
2024-05-22 22:28
jim.bus wrote:
2024-05-22 21:29
It is merely stating that hMailserver didn't verify the certificate of the receiving server which may simply be because the receiving server doesn't have a certificate.
No, that's a setting for hmailserver - enabled or not enabled: settings > advanced > SSL/TLS > Verify remote server SSL/TLS certificates
That setting you refer to is what I was writing about. When that setting is checked then hMailServer will attempt to verify the certificate of the receiving email server. If there is no certificate then hMailserver will not be able to verify the certificate. I have that setting selected and I get 'Verify remote server: False' Log entries all the time which means the Remote (Receiving) Server doesn't have a certificate or the certificate is not valid, etc.
It means you unchecked the box in settings > advanced > SSL/TLS > Verify remote server SSL/TLS certificates. You get that message on every transaction - if its not checking validity, how would it know the cert is not valid? The message just means that its not checking at all. Any certificate will work if you don't check validity.

User avatar
jim.bus
Senior user
Senior user
Posts: 1618
Joined: 2011-05-28 11:49
Location: US

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by jim.bus » 2024-05-23 03:56

palinka wrote:
2024-05-22 23:15
jim.bus wrote:
2024-05-22 23:04
palinka wrote:
2024-05-22 22:28


No, that's a setting for hmailserver - enabled or not enabled: settings > advanced > SSL/TLS > Verify remote server SSL/TLS certificates
That setting you refer to is what I was writing about. When that setting is checked then hMailServer will attempt to verify the certificate of the receiving email server. If there is no certificate then hMailserver will not be able to verify the certificate. I have that setting selected and I get 'Verify remote server: False' Log entries all the time which means the Remote (Receiving) Server doesn't have a certificate or the certificate is not valid, etc.
It means you unchecked the box in settings > advanced > SSL/TLS > Verify remote server SSL/TLS certificates. You get that message on every transaction - if its not checking validity, how would it know the cert is not valid? The message just means that its not checking at all. Any certificate will work if you don't check validity.
My option to verify certificate is selected and I get the Log Entry about Verify Certificate being False plus I also where appropriate get the True indication. I confirmed that before making my statement. Plus I reviewed the Documentation link I provided to make sure my statement wouldn't contradict the Help Documentation. Perhaps you are mistaking the False response with what the Diagnostics Utility that produces the False setting which will indicate the 'Verify certificate False' to mean it is not selected.

I believe you will probably only see Verify Certificate: True when hMailServer connects to a receiving server because when that option is selected hMailserver is using the Receiving Server's (Remote Server) certificate to verify the identity of the Receiving Server meaning hMailServer wants to make sure it is connecting to the expected Remote Server when that option is selected.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

palinka
Senior user
Senior user
Posts: 4591
Joined: 2017-09-12 17:57

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by palinka » 2024-05-23 07:22

I just did a log search and yes, I have many "Verify certificate: False" in my logs even though I have "Verify remote server SSL/TLS certificates" checked in settings. huh...

A little more looking. It seems that message appears on all connections except SMTPC where it says "Verify certificate: True". And that makes sense because why would hmailserver verify incoming connections? Its providing the cert for inspection on incoming connections.

User avatar
jim.bus
Senior user
Senior user
Posts: 1618
Joined: 2011-05-28 11:49
Location: US

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by jim.bus » 2024-05-23 08:45

palinka wrote:
2024-05-23 07:22
I just did a log search and yes, I have many "Verify certificate: False" in my logs even though I have "Verify remote server SSL/TLS certificates" checked in settings. huh...

A little more looking. It seems that message appears on all connections except SMTPC where it says "Verify certificate: True". And that makes sense because why would hmailserver verify incoming connections? Its providing the cert for inspection on incoming connections.
I have observed in the past that some clients (Outlook being one such client) will verify hMailserver's certificate and if the Certificate name doesn't match the server (SAN names count too) the client will prompt the user if the user still wants to use the certificate. Clients do not need to present Certificates to the Email Server nor verify the Email Server certificate. I used to get these kind of Client message prompts when my Email Service screwed up (before I was using hMailServer) and probably substituted for the Production email server a test server which had all the same accounts on it. To get around that issue until the email service corrected the Email Server they had changed back to the Production Email Server, I just pointed my Outlook to the test server name and waited a few days after I reported the issue and then switched the Test Email Server name back to the Production Email Server name and everything was as normal before.

And yes hMailServer doesn't verify Certificates on incoming connections but I believe the Help Documentation says for External Accounts it will.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

User avatar
mattg
Moderator
Moderator
Posts: 22456
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by mattg » 2024-05-31 08:52

mickyzac wrote:
2024-05-22 19:43
I have only sub domainservice.

I installed self-signed .crt to hMailserver, and on operation looks good.
However the log says

"Performing SSL/TLS handshake for session 7. Verify certificate: False"
What that line is actually saying is

"Performing SSL/TLS handshake for session 7 and I am NOT GOING TO TRY and verify the certificate used"

It does not mean that the verification failed, it means that the verification wasn't attempted.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jim.bus
Senior user
Senior user
Posts: 1618
Joined: 2011-05-28 11:49
Location: US

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by jim.bus » 2024-05-31 09:57

mattg wrote:
2024-05-31 08:52
mickyzac wrote:
2024-05-22 19:43
I have only sub domainservice.

I installed self-signed .crt to hMailserver, and on operation looks good.
However the log says

"Performing SSL/TLS handshake for session 7. Verify certificate: False"
What that line is actually saying is

"Performing SSL/TLS handshake for session 7 and I am NOT GOING TO TRY and verify the certificate used"

It does not mean that the verification failed, it means that the verification wasn't attempted.
Just making sure I didn't make any false statements about this function. I don't think any of my statements contradicted what you stated. The Original Poster didn't show any Log Entries but I believe in most cases, with the Verification option set to True in settings, a Log Entry stating Verify was false would most likely occur when an email client attempted to connect to hMailServer since hMailServer doesn't attempt to verify Client Certificates. Is that correct. However, what would be in the Logs if Verification was attempted and hMailServer couldn't verify the Certificate. I believe this would then show a Log Entry which states it was expecting a Remote Host Name and then a Log entry which states whether or not Certification Failed. At least that is what I see in my logs when it actually verifies the Remote Host Name Certificate.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

User avatar
mattg
Moderator
Moderator
Posts: 22456
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Performing SSL/TLS handshake for session 7. Verify certificate: False"

Post by mattg » 2024-06-01 04:30

jim.bus wrote:
2024-05-31 09:57
However, what would be in the Logs if Verification was attempted and hMailServer couldn't verify the Certificate.
Here's an example

Code: Select all

"DEBUG"	636	"2024-05-01 09:41:25.795"	"Certificate verification failed for session 3139. Expected host: hosted.example.com, Windows error code: -2146762487, Windows error message: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."

Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply