# HOWTO: Read .Mac Mail on a SonyEricsson Phone

Update: Newer SonyEricsson models like the K610i already have the relevant CA certificate and can connect to .Mac servers without any trouble, so this should not be necessary anymore. Nevertheless, if you need to use one of those phones with your own private SSL certificates, the steps are exactly the same..

### Introduction

One of the interesting things about SonyEricsson phones is that they have a functional (if somewhat minimalist) IMAP client with TLS/SSL support.

However, the phones are extremely picky about the server certificates they accept, and I thought it was high time to document how to get .Mac mail over SSL working on them. I used a K750i, but this should work on any modern SonyEricsson device that has an "Encryption" option in the mail account settings menu.

Of course you can always use .Mac IMAP mail without encryption, but hey, it's your password - you figure out if you want it to be transmitted in clear text over the internet.

The following sections detail the basic technique, which should be applicable to just about any secure POP3 or IMAP service (such as Gmail) as well as any oddball WAP/HTTPS sites you may encounter.

### In a Nutshell

If you're in a hurry and are familiar with OpenSSL:

• The phones have to receive the certificates in DER format with a .cer extension
• You have to get the root CA certificate, not the server certificate (this is the bit that took some figuring out).

### Requirements

You need a UNIX box or Cygwin (although you might get away with using other versions of OpenSSL tools), and a machine with IrDA or Bluetooth support (to send the certificate to the phone).

### Getting The .MacIMAP Certificate

To be able to read the .Mac SSL certificate, you need to use the s_client command in OpenSSL like this:

$openssl s_client -showcerts -connect mail.mac.com:993 | tee log.txt (Note the -showcerts option, that dumps the entire certificate chain.) You can also use hostname:443 to read HTTPS certificates or hostname:995 for secure POP3 (Gmail, for instance). This will give the following output (which is saved to log.txt): CONNECTED(00000003) --- Certificate chain 0 s:/C=US/ST=CALIFORNIA/L=Cupertino/O=Apple Computer Inc/OU=Internet Services/OU=Terms of use at www.verisign.com/rpa (c)00/CN=mail.mac.com i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign -----BEGIN CERTIFICATE----- MIIEdzCCA+CgAwIBAgIQQe4xYdUxe8L7gqpnhHPelTANBgkqhkiG9w0BAQUFADCB ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy dmVyIENBIC0gQ2xhc3MgMzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMg SW5jb3JwLmJ5IFJlZi4gTElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjAeFw0w NDA2MjMwMDAwMDBaFw0wNjA2MjMyMzU5NTlaMIG7MQswCQYDVQQGEwJVUzETMBEG A1UECBMKQ0FMSUZPUk5JQTESMBAGA1UEBxQJQ3VwZXJ0aW5vMRswGQYDVQQKFBJB cHBsZSBDb21wdXRlciBJbmMxGjAYBgNVBAsUEUludGVybmV0IFNlcnZpY2VzMTMw MQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQgd3d3LnZlcmlzaWduLmNvbS9ycGEgKGMp MDAxFTATBgNVBAMUDG1haWwubWFjLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA0mUwbwvd/TD0T+b1jFx6uOHSEFpD/5Dq21ni7SiUbOfV1aQN0voOG2H6 uoyqkoiIzJSBnAJ1wh0oE5chZdpHyhIPLr9XWfa+IF9r0GBqHNB7LXh07WeJTULm hp3WfxdWSlVTSiQUtpLmoNWtBJK5Hq2NzxK0yl45RN1ZkYvbOwkCAwEAAaOCAXkw ggF1MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEYGA1UdHwQ/MD0wO6A5oDeGNWh0 dHA6Ly9jcmwudmVyaXNpZ24uY29tL0NsYXNzM0ludGVybmF0aW9uYWxTZXJ2ZXIu Y3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0 cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAoBgNVHSUEITAfBglghkgBhvhCBAEG CCsGAQUFBwMBBggrBgEFBQcDAjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGG GGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBtBggrBgEFBQcBDARhMF+hXaBbMFkw VzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZ LjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjANBgkqhkiG 9w0BAQUFAAOBgQCRAo9dn4wZ5/4k6S9h0MSiQonifAXNbdcjL755U0lboJe4IO75 2KIEAKlX/y4/R/2WsWJ27jrv+iWkJEwYPlGBqo+3LrsDEBg+k2hl2WN3cIiIC6BC JK1oRT3Ue3zx/tYUcqnfhwwQNLXMVTLOFeZjbBn0HJNu0zNL0s40kzdngA== -----END CERTIFICATE----- 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -----BEGIN CERTIFICATE----- MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB 4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv 1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa -----END CERTIFICATE----- 2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -----BEGIN CERTIFICATE----- MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=CALIFORNIA/L=Cupertino/O=Apple Computer Inc/OU=Internet Services/OU=Terms of use at www.verisign.com/rpa (c)00/CN=mail.mac.com issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign --- No client certificate CA names sent --- SSL handshake has read 2792 bytes and written 346 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit SSL-Session: Protocol : SSLv3 Cipher : RC4-MD5 Session-ID: 009F4F3B795EB657E667DE7160BE368E2067C40746A9CD12B1F8D2D3D6F00EE1 Session-ID-ctx: Master-Key: 399658CF8CD02A5331E56CCD972A84743E3BEBC75D9A50F18FE6C0027258D9F371A6723B42F7DBCEE93FDB542469D028 Key-Arg : None Start Time: 1117211096 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- * OK Netscape Messaging Multiplexor ready At this point, you will be in "transparent" mode, talking directly to the IMAP server. Just type "QUIT" (all caps) to close the session - IMAP purists can also type "00 logout". ### Converting The Certificate So, next up we need to edit the log.txt file and grab the last CA certificate in the chain, which is this bit:  2 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -----BEGIN CERTIFICATE----- MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -----END CERTIFICATE----- Save that as ca.cer (you can drop the first two lines, they're just for your benefit). You can get a better look at the certificate contents by typing: $ openssl x509 -inform PEM -in ca.cer -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
Signature Algorithm: md2WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Validity
Not Before: Jan 29 00:00:00 1996 GMT
Not After : Aug  1 23:59:59 2028 GMT
Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40:
db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9:
11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03:
1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2:
63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f:
42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23:
5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85:
e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2:
71:64:4c:65:2e:81:68:45:a7
Exponent: 65537 (0x10001)
Signature Algorithm: md2WithRSAEncryption
bb:4c:12:2b:cf:2c:26:00:4f:14:13:dd:a6:fb:fc:0a:11:84:
8c:f3:28:1c:67:92:2f:7c:b6:c5:fa:df:f0:e8:95:bc:1d:8f:
6c:2c:a8:51:cc:73:d8:a4:c0:53:f0:4e:d6:26:c0:76:01:57:
81:92:5e:21:f1:d1:b1:ff:e7:d0:21:58:cd:69:17:e3:44:1c:
9c:19:44:39:89:5c:dc:9c:00:0f:56:8d:02:99:ed:a2:90:45:
4c:e4:bb:10:a4:3d:f0:32:03:0e:f1:ce:f8:e8:c9:51:8c:e6:
62:9f:e6:9f:c0:7d:b7:72:9c:c9:36:3a:6b:9f:4e:a8:ff:64:
0d:64
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
-----END CERTIFICATE-----

...and we can convert it to DER format by typing:

\$ openssl x509 -inform PEM -in ca.cer -outform DER -out beam.cer

The resulting file is in DER binary format, and this is the one you have to beam to your phone.

The phone will ask you to confirm the transfer and let you view a summary of the certificate details, and when you accept it should create an entry for the new CA at the bottom of your Internet Settings, Security, Trusted Cert. menu.

Mine reads "Class 3 Public Primary Certifica".