Certificate expired
in [Eudora]
|
From: Gloops on 6 Oct 2007 19:47 Hello everybody, Eudora cannot load my mails, it says "SSL Negociation Failed : One certificate in the server cert chain has Expired. Certificate bad : Destination Host name does not match host name in certificate. But ignoring this error because Certificate is trusted. The connection with the server has been lost." So, why is the connection lost, if the certificate is trusted ? Possibly an INI file which is write-protected ? But I released that from eudora.ini, and three other ones in the same directory. Deudora.ini is not write-protected. Bad direction ? I precise that Thunderbird has no difficulty with the same account (except the fact that it time to free space on the server). Bad idea to loose time with this, as the host never sent me any post explaining me about its certificates, so I could certify perfectly false and forged certificates. I see no utility to certificates in these conditions. Any tip, anybody ?
From: John H Meyers on 8 Oct 2007 14:10 On Sat, 06 Oct 2007 18:47:21 -0500: > Eudora cannot load my mails, it says "SSL Negociation Failed : One > certificate in the server cert chain has Expired. Certificate bad : > Destination Host name does not match host name in certificate. But > ignoring this error because Certificate is trusted. The connection with > the server has been lost." > > So, why is the connection lost, if the certificate is trusted ? Probably an unrelated timeout. A non-matching host name and expired certificate both indicate either spoofed or badly managed server, unless a private server, but both of those two errors can be avoided on any properly managed private server, even if they use self-generated, self-signed certificates (like our private internal server). > Possibly an INI file which is write-protected ? No. > But I released that from eudora.ini, and three other ones in the same > directory. Did you find Eudora.ini write-protected? Eudora can run anyway, and the above problem is very likely unrelated. > the host never sent me any post explaining me about its certificates, > so I could certify perfectly false and forged certificates. > I see no utility to certificates in these conditions. You could contact whoever maintains the mail server; they have the problem, and we can not fix it for them. > I just saw a file named "rootcerts.p7b" in the program directory of Eudora. > rootcerts sounds like certifications, does not it? And this was write-protected. > I renamed it "rootcerts._p7b_" and my mails were received in much less time. That file contains the "root certificates" containing the public keys of all the CA's who sign other servers' certificates, and is needed to verify any such properly signed server certificates. > Any tip, anybody ? Rename it back, and leave it write-protected, unless of course you don't want to retain the ability to verify any secure servers at all (at least those who purchase CA-signed certificates). Web browsers, email clients, and operating systems (like Windows) are all supplied with similar sets of "CA root certificates," whish should be retained; occasionally an optional "Microsoft Update" will offer new ones for IE and Windows, while others usually simply arrive unheralded, embedded within software updates. Besides certificates used by mail servers, the signing Certificate Authority (CA) certificates supplied with Eudora will themselves eventually expire and need replacement; the "Comodo" and "GTE Cyber Trust Root" certificates are already expired, but that's because those were withdrawn by the issuing CA themselves, and are not supposed to be relied on by anyone else. The next-expiring CA certificate in Eudora 7.1.0.9 expires in 2010 (RSA Data Security), and the next after that in 2018, as far as a quick scan seems to reveal, so there is no need to rush to update them (I've never even seen "RSA Data Security" used, so we seem set for more then ten years ahead, except only if new CA companies enter the field and are widely used). --
From: Gloops on 11 Oct 2007 03:55 John H Meyers wrote on 08th oct. 2007 20:10 : >> I just saw a file named "rootcerts.p7b" in the program directory of Eudora. >> rootcerts sounds like certifications, does not it? And this was write-protected. >> I renamed it "rootcerts._p7b_" and my mails were received in much less time. > > That file contains the "root certificates" containing the public keys > of all the CA's who sign other servers' certificates, > and is needed to verify any such properly signed server certificates. > >> Any tip, anybody ? > > Rename it back, and leave it write-protected, unless of course you don't want > to retain the ability to verify any secure servers at all > (at least those who purchase CA-signed certificates). Well, as I could receive my mails after unlocking that file, I keep the idea that certificates are a convention between the server and the client (me), and they begin to be useful once I really understood how they work and what they mean, and I personally verified by the server that they have the same certificate. Until I have done all that, perhaps I can consider the password as a valid authentication method ?
From: John H Meyers on 11 Oct 2007 12:45 On Thu, 11 Oct 2007 02:55:39 -0500: [re the "rootcerts.p7b" file which comes with Eudora] > Well, as I could receive my mails after unlocking that file, I keep the > idea that certificates are a convention between the server and the > client (me), and they begin to be useful once I really understood how > they work and what they mean, and I personally verified by the server > that they have the same certificate. Until I have done all that, perhaps > I can consider the password as a valid authentication method ? These "root" certificates help to authenticate to you the "signatures" on remote server certificates; that's all they do. The file is read-only because it does not change, and has nothing to do with any user, nor has it anything to do with any mail server. Any server's certificate that you approve is stored instead into the file "usercerts.p7b" in your mail _Data_ folder (where your mailboxes and options are saved), rather than into the Application (programs) folder, which normally are completely different places. A mail server's certificate is then used in the encryption process between your computer and the server, to exchange the session key used for SSL; all of this is very similar to how "secure" web sites are authenticated to you (not you being authenticated to them) when you use a web browser. Your original problem appears to have been a network timeout. A common reason for an initial network timeout with SSL is that Eudora _always_ takes longer to make its first SSL connection, and many people who start up Eudora simultaneously with other applications, heavily loading a CPU that isn't blazingly fast, find that their first connection times out most of the time, and then succeeds every other time, without doing anything in between, just as does mine. You may also have had a timeout simply during the interval waiting for you to first approve the mail server's certificate, which is also of course a one-time-only event. Setting your options to not even use SSL is of course yet another way to bypass all SSL and certificate issues, without needing to remove any read-only attributes or rename any "root" certificate file. I notice that I have not caught a cold since switching from Windows 2000 to Windows XP; hmm... would Vista be even better for me? --
From: Andrew Price on 11 Oct 2007 13:32
On Thu, 11 Oct 2007 11:45:20 -0500, "John H Meyers" <jhmeyers(a)nomail.invalid> wrote: [---] >Setting your options to not even use SSL is of course yet another way >to bypass all SSL and certificate issues, without needing >to remove any read-only attributes or rename any "root" certificate file. That's what I did, and I haven't experienced the slightest problem since doing so. |