03-18-2013 01:06 PM - last edited on 03-18-2013 07:02 PM by maikoro
Running the latest version of the firmware (20121220 48.272.0) but clearly the implementation of "SSL Support for SMTP" isn't adequate for today's world. I am posting in hopes for others to save themselves time and grief while getting this to work specifically with Google Apps (or GMail).
To recap, tried to interface the printer with Google Apps using SSL. As per Google, you have two options - one is to use SSL authentication which permits you to authenticate to their services and scan-to-email to any valid email address or to use regular SMTP and only send to other Google Apps or GMail address. The non-SSL works fine, you just point to aspmx.l.google.com on port 25 and you are done.
The SSL option is what causes a lot of grief as the hp mfp throws errors of either Unknown CA or Unknown Certificate as per Wireshark.
The setup is relatively easy in theory, point to smtp.gmail.com, checkmark "Enable SSL Support for SMTP" and either use port 465 (SSL) or 587 (STARTTLS).
Port 465 doesn't work at all. I don't think the mfp knows that it has to establish an SSL connection on port 465 and it just keeps sending packets to the remote host without success. So scratch getting port 465 to work at all.
Port 587 was more promising. The "Test" button works in the web console since the remote host responds in plain text and switches to TLS when STARTTLS is issued... and this is when all the trouble begins.
Looking at Wireshark, the devices successfully connects and sends the STARTTLS, sends a Client Hello, the remote responds in turn with a Server Hello and it sends its certificates. For smtp.gmail.com it sends two certificates - one for smtp.gmail.com which is issued by Google Internet Authority, and then it also sends the certificate for Google Internet Authority which is signed by Equifax Secure Certificate Authority.
This is when the mfp device throws the first error - Alert: (Level: Fatal, Description: Unknown CA). This is a farily common error in most email setups which basically means the device is not aware of the Equifax Certificate... No problem, the mfp has a Certificate Management option. I've uploaded the equifax certificate and tried again! This time the device exchanges certificates but throws a fatal Unknown Certificate error which is pretty generic. I've tried extracting (using openssl) the smtp.gmail.com certificate and importing it into the device to no avail, then I tried to extract and import the Google Internet Authority certificate and again to no avail... I've had all /three/ certificates on the device which is the entire chain of certificates but clearly the mfp chokes on something else in this setup and I've had to chose the lesser frustrating route and just use the non-SSL SMTP delivery for now.
If anybody from HP is reading, it would be nice if you guys could open a problem ticket for this because it seems like all the functionality is there but clearly a bug/feature prevents this from working. It would also be nice if an option existed in the device to ignore certificate errors because what we really want is simple a secure tunnel vs verifying the chain of certificates when sending emails in 99.99% of the cases. I am certain this would resolve this issue and help many scenarios.
If needed, I can provide the wireshark captures for this.
P.S. this thread has been moved from LaserJets to Multifunction and All-in-One - Hp Forums moderator
03-18-2013 01:27 PM
You are not alone:
HP is not required to respond to anything posted here as this is a user to user forum. Open an incident with HP directly for a more speedy and official response.
03-18-2013 08:25 PM
>I've tried extracting (using openssl) the smtp.gmail.com certificate and importing it into the device to no avail, then I tried to extract and import the Google Internet Authority certificate and again to no avail... I've had all /three/ certificates on the device which is the entire chain of certificates
Could you please zip up and attach these three certificates and I'll check to see if "openssl verify" likes them.