Gmail users can't retrieve email from third-party services using self-signed SSL certificates.
For the past week, access to a third-party email service through Gmail has stopped as of December 11 after years of trouble-free email retrieval. According to the mail fetch history panel, it's an SSL Security Error that's preventing email retrieval from the pop3 server, reporting that the SSL certificate has expired. Naturally a technical support request has been placed with the third-party provider, but now a new report indicates that Google is responsible for the Gmail SSL error thanks to a new policy.
According to Slashdot, Google's Gmail servers have been reconfigured to not connect to remote pop3 servers that have self-signed certificates. Thus Gmail users trying to get email from other services may be left with an unencrypted connection, or no access to the services whatsoever.
"As of December 2012, Gmail uses 'strict' SSL1 security," the company states. "This means that we'll always enforce that your other provider's remote server has a valid SSL certificate. We made this change to offer a higher level of security to better protect your information."
In other words, Google will now only accept SSL certificates from a paid provider approved by Google. The company states that Gmail users can always uncheck the "Always use a secure connection (SSL) when retrieving mail" option on the Accounts and Import tab in the Gmail settings menu, but that also means the user's password and email will not be protected while sent over the Internet.
The other option is to notify the third-party email service of the error so they can "fix" their SSL setup. The Slashgear report suggests that public keys should be placed on Google's side in the user configuration rather than simply dumping the problem on the user and then moving on.
"If the error is not fixed, we will disable your mail fetching and stop retrieving your messages from your other account," Google said. "We do not accept self-signed certificates. For a certificate to be valid it needs to chain up to a valid CA, like one in the Mozilla CA list."
So far Google has not publicly announced the change in its SSL policy via a blog update or press release.