Gmail POP SSL certs for Symbian / Nokia phones
Connecting to Gmail’s POP (POPS) server always caused a certificate warning on my Nokia E61 Symbian based phone. The solution is to add Google’s Gmail root SSL certificate to the phone. First check the SSL cert that gmail is advertising.
host1:~ kevin$ openssl s_client -connect pop.gmail.com:995 -showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIC3TCCAkagAwIBAgIDBZIAMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDUxMTE1MjEyMjQ0WhcNMDcxMTE2MjEyMjQ0
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv
cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMP8LCYiLGJ/
RihwcOi1V/zHVTw0Gfu+mI141Vjuuj2DtQoav8emwlXbu8gZoKP9GeMWpX1Vo9qN
4gkslIToHmDnIwGjcaEAfpdhSR9g54Kf5Y7BEXVyco6mTIlpe9vsbV0dmB1FvLP2
1N09dkUJfi7V0fjb8mcn3QYu6+6QNoxPAgMBAAGjga4wgaswDgYDVR0PAQH/BAQD
AgTwMB0GA1UdDgQWBBTdASsopgao1m8hcEg0cDZhucltljA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf
BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAln3/pVqYnUXA1TVGzOqX
LFhohGxpuNkr1UJnQmYxmZeB07uPBYRX8c0JXEKs29TmAHRsLhmp8kF36F11Dxgi
Xm/Y8I9zgWHoMj7SL3Ve/u8K8K7XcUyUuaWmldLQAREafpFy+f+KYHGuAVh8hjy6
XyPlMCqj+PNp8QXjgOcgO68=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 891 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 19B1FF1A50B6ABCDBB1FEDA198E5C69BC6EA76D1786ECEA5CB845DC2D9BBD6EC
Session-ID-ctx:
Master-Key: B1AF3801F0742D2EDB52B010EA2497B3D2AA7D38D65313D57CA0BCD67C59C902938E9F274B09BE95026441F313688179
Key-Arg : None
Start Time: 1150697367
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
From this we see the root certificate is from Equifax. This certificate can be found in common root cert bundles but is not shipped by default on Nokia/Synbian phones. For reference here’s the Equifax root certificate.
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----
The next step is to convert the Equifax certs to a format Symbian will accet. Start with putting it in a .pem file.
Using openssl it can be converted to der format.
openssl x509 -outform DER -in equifax.pem -out equifax.der
The final step is to transfer these certificates to your phone. USB, IR, or Bluetooth will all work for this purpose. You’ll be prompted to add the certificate to your phone. Accepting this will permantly save the cert on your phone for future. Try connecting to gmail to ensure the certificate prompt/warning is no longer displayed.
Recent Search Terms:
July 5th, 2006 at 3:45 pm
Thanks for the information it worked wonderfully on my also new Nokia E61
July 9th, 2006 at 9:49 pm
[...] Thomas Mango at Trikenit pointed out this solution by Kevin Henrikson. Rafe from the indispensable site All About Symbian suggested a similar solution which I outlined below. [...]
July 10th, 2006 at 7:21 am
A much easier way – open the browser and go to: http://www.ocasta.co.uk/cert.html – download the Gmail certificate (Equifax). Then you can go to Settings >Security > Certif. Management. Choose Equifax and then options > trust settings. Disable ‘online certif. check’
August 30th, 2006 at 1:50 pm
The problem with the certificate is to change the pop server to pop.googlemail.com in stead of pop.gmail.com. Keep the SMTP settings as they are. Thats all! At least for 6233
October 29th, 2006 at 12:46 am
[...] Semoga berhasil… have fun… Sumber : http://kevinhenrikson.com/2006/06/18/gmail-pop-ssl-certs-for-symbian-nokia-phones/ Permalink [...]
November 9th, 2006 at 2:38 am
Thanks indeed. It worked!
December 8th, 2006 at 11:06 am
Ok, so I have all the settings downloaded the certificate (my e61 told me its already installed!?). Have pop.googlemail.com and ssl 995 (that changes to port:standard sometimes, like others have it)…
my account name xxxx@gmail.com and user name xxxx@gmail.com
still i can not receive email, it simply keeps asking me for the password and user name three times and than tells me i got rejected hmmm…whats wrong?
December 8th, 2006 at 11:08 am
oh and yes pop is enabled for all email on my gmail account..and works with my mail pop client on my mac
April 11th, 2007 at 1:50 am
[...] How can you do this yourself? Follow the instructions by Kevin Henrikson in “Gmail POP SSL certs for Symbian / Nokia phones“. I have used Opera to easily export the certificate, but the OpenSSL method used by Kevin also works fine. (Plus there seems to be some bug with the export function in the latest version – 9.10 – of Opera, or at least on Windows Vista. Can’t say which one is the faulty one for sure.) The settings for connecting to the UoV mail server can be found here. [...]
July 8th, 2007 at 7:03 am
Atlast I can use pop in my mobile thanks. Thank you very much. :)
July 23rd, 2007 at 2:35 pm
How can i install a certificate on my Samsung E250??? Ive downloaded the Gmail app on my phone. It opens up beautifully. I enter my login details. It then loads and then complains about a certificate error which prevents me from using the gmail app. NEEP HELP PLZ!!!
March 27th, 2008 at 3:11 pm
It is really unbeliavable that Nokia, Equifax and Google have put their users to such hassle and security risk.
Google as king of web could make a phonecall to Equifax people to setup a secure wap page to serve their certificates and Nokia themselves are putting their users to very significant risk to use such a weird way to install certificates. Nokia 9300 (series 80) could open .cer or x509 files and install them, Series 60 V3 which is years ahead requires some weird format…
Thanks for this great tip and people, you better contact Equifax to get a “der” root certificate rather than becoming ultra paranoid if you download it from third party.
December 23rd, 2008 at 7:31 am
my nokia 2760 is no longer downloading games and applications and i dont no why when i stop it it says unable to end shared connection
December 23rd, 2008 at 7:32 am
i like nokia