Gmail POP SSL certs for Symbian / Nokia phones

20 Flares Twitter 19 Facebook 1 Google+ 0 Buffer 0 LinkedIn 0 20 Flares ×

Connecting to Gmail’s POP (POPS) server always caused a certificate warning on my Nokia E61 Symbian based phone. The solution is to add Google’s Gmail root SSL certificate to the phone. First check the SSL cert that gmail is advertising.


host1:~ kevin$ openssl s_client -connect pop.gmail.com:995 -showcerts
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIC3TCCAkagAwIBAgIDBZIAMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDUxMTE1MjEyMjQ0WhcNMDcxMTE2MjEyMjQ0
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv
cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMP8LCYiLGJ/
RihwcOi1V/zHVTw0Gfu+mI141Vjuuj2DtQoav8emwlXbu8gZoKP9GeMWpX1Vo9qN
4gkslIToHmDnIwGjcaEAfpdhSR9g54Kf5Y7BEXVyco6mTIlpe9vsbV0dmB1FvLP2
1N09dkUJfi7V0fjb8mcn3QYu6+6QNoxPAgMBAAGjga4wgaswDgYDVR0PAQH/BAQD
AgTwMB0GA1UdDgQWBBTdASsopgao1m8hcEg0cDZhucltljA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf
BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAln3/pVqYnUXA1TVGzOqX
LFhohGxpuNkr1UJnQmYxmZeB07uPBYRX8c0JXEKs29TmAHRsLhmp8kF36F11Dxgi
Xm/Y8I9zgWHoMj7SL3Ve/u8K8K7XcUyUuaWmldLQAREafpFy+f+KYHGuAVh8hjy6
XyPlMCqj+PNp8QXjgOcgO68=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 891 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 19B1FF1A50B6ABCDBB1FEDA198E5C69BC6EA76D1786ECEA5CB845DC2D9BBD6EC
Session-ID-ctx:
Master-Key: B1AF3801F0742D2EDB52B010EA2497B3D2AA7D38D65313D57CA0BCD67C59C902938E9F274B09BE95026441F313688179
Key-Arg : None
Start Time: 1150697367
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

From this we see the root certificate is from Equifax. This certificate can be found in common root cert bundles but is not shipped by default on Nokia/Synbian phones. For reference here’s the Equifax root certificate.


-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

The next step is to convert the Equifax certs to a format Symbian will accet. Start with putting it in a .pem file.

equifax.pem

Using openssl it can be converted to der format.


openssl x509 -outform DER -in equifax.pem -out equifax.der

equifax.der

The final step is to transfer these certificates to your phone. USB, IR, or Bluetooth will all work for this purpose. You’ll be prompted to add the certificate to your phone. Accepting this will permantly save the cert on your phone for future. Try connecting to gmail to ensure the certificate prompt/warning is no longer displayed.

ref ref2

20 Flares Twitter 19 Facebook 1 Google+ 0 Buffer 0 LinkedIn 0 20 Flares ×
Kevin Henrikson

Kevin Henrikson

Co-Founder Acompli (now Outlook iOS/Android) at Microsoft
Kevin Henrikson leads engineering for Microsoft Outlook iOS/Android. Previously, he co-founded Acompli and ran engineering prior to an acquisition by Microsoft in 2014 for $200M. Before Acompli, he was an Entrepreneur-in-Residence for Redpoint Ventures, a venture capital firm for early stage technology companies.
Kevin Henrikson

@KevinHenrikson

Outlook @microsoft was Co-Founder @acompli, EIR @redpoint. my favorite ceo @itsduhnise
Agreed. Sleep is the most natural performance enhancing drug. https://t.co/gbPT9cDtuJ - 19 hours ago
Kevin Henrikson
Kevin Henrikson

16 thoughts on “Gmail POP SSL certs for Symbian / Nokia phones

  1. Pingback: E-Series » Blog Archive » Google Gmail Settings for the Nokia E61 - Pt. 2

  2. jolo

    A much easier way – open the browser and go to: http://www.ocasta.co.uk/cert.html – download the Gmail certificate (Equifax). Then you can go to Settings >Security > Certif. Management. Choose Equifax and then options > trust settings. Disable ‘online certif. check’

  3. Christian F

    The problem with the certificate is to change the pop server to pop.googlemail.com in stead of pop.gmail.com. Keep the SMTP settings as they are. Thats all! At least for 6233

  4. Pingback: BagonK’s Blog » Setting GMail POP E-mail di Nokia 6233

  5. frustrated with e61/gmail

    Ok, so I have all the settings downloaded the certificate (my e61 told me its already installed!?). Have pop.googlemail.com and ssl 995 (that changes to port:standard sometimes, like others have it)…
    my account name xxxx@gmail.com and user name xxxx@gmail.com
    still i can not receive email, it simply keeps asking me for the password and user name three times and than tells me i got rejected hmmm…whats wrong?

  6. frustrated with e61/gmail

    oh and yes pop is enabled for all email on my gmail account..and works with my mail pop client on my mac

  7. NEED HELP!!!

    How can i install a certificate on my Samsung E250??? Ive downloaded the Gmail app on my phone. It opens up beautifully. I enter my login details. It then loads and then complains about a certificate error which prevents me from using the gmail app. NEEP HELP PLZ!!!

  8. Ilgaz

    It is really unbeliavable that Nokia, Equifax and Google have put their users to such hassle and security risk.

    Google as king of web could make a phonecall to Equifax people to setup a secure wap page to serve their certificates and Nokia themselves are putting their users to very significant risk to use such a weird way to install certificates. Nokia 9300 (series 80) could open .cer or x509 files and install them, Series 60 V3 which is years ahead requires some weird format…

    Thanks for this great tip and people, you better contact Equifax to get a “der” root certificate rather than becoming ultra paranoid if you download it from third party.

  9. wise

    my nokia 2760 is no longer downloading games and applications and i dont no why when i stop it it says unable to end shared connection

  10. Pat

    My nokia 6288 can not access my Gmail. It say that my certificates are invalid. What do I do?

    When I download items with opera mini, my phone says it does not know how to place the download and thats after consuming my bundle. Someone help. Use a simple language please I do not understand those complex jargons.

  11. tomv

    wow! who would think my nokia 9300 would get revamped to a gmail pop reader? thanks to your certificate. the certificate manager ate it like it was a yummy icecream! thx!

  12. dgmarious

    thanks guys for all these post. my greatest problem of certificate prompt on 9300 has been solved simply by downloading a thawte CA cert. and change the pop server of my gmail tp google mail instead of gmail.

  13. Dee

    Hi i tried and it won;t work. I have a 6120 Classic and it still says that when i log on to gmail from the web broswer which is really bugging me. Please can someone help me, and tel me how to remove this. I have the equifax certificate alrdy on the fone my phone tells me when i try to install it!

    HELP

Comments are closed.