Why GMail is not changing all server certificates in synch?

I’m accessing my Gmail account from behind HTTPS proxy – it was described is this post.  Thunderbird does not support it, for IMAP and SMTP  only SOCKS proxy can work.   To cope with it  I’m using a small local proxy, that redirects any connection via proxy CONNECT method to remote host:port.

This works fine, but in email client I had to set IMAP server as localhost and SMTP server also as localhost.  Thunderbird is cautious about it and since both connections are using TLS/SSL then there is a security issue –  I’m connecting to localhost, but certificates are  for *.gmail.com domain.  Luckily Thunderbird enables me to set security exception –   it asks me if I’ll allow that certificate for that host address, if I confirm everything works like charm until Gmail changes certificate on servers (which happens about couple time per year or so).

Picture 1. – Security exceptions stored in Thunderbird’s Properties / Advanced / Certificates:


They indeed have many servers load balanced, now what happens during certificate change –   some servers have already new certificate, and some have old one.   If my client by a chance connects to a server with new certificate,  I get security warning again, because certificate in the stored permanent exception is different.   Again I confirm, but then what happens then –   next connection goes to other server, which still has old certificate and I get again security warning and next connections goes to server with new certificate, next next to old and so on, round and round.

Picture 2. – Security exception dialog (for IMAP connected through local proxy)


This goes on for several days usually – why they cannot change and sync all certificates at once?  Why it takes so long?  I do not know,  but if you do I’ve like to hear why.

Recently again this situation has happened and as usual it’s quite annoying (more due to the fact that even if I switch off automatic retrieval of messages in Thunderbird profile,  it still opens some connections to server every few minutes). But then I got idea –   what if I keep correct server names in Thunderbird profile, but mess with name resolution –   e.g. I can put this into /etc/hosts:

#gmail proxy	imap.gmail.com	smtp.gmail.com

And it works!

Leave a Reply

Your email address will not be published. Required fields are marked *