Child Item

Site Totals

61185 Questions Answered 267 Categories

Rejected SMTP SSL Certificate

In February 2015 I began to experience a problem with a rejected SSL certificate (Baltimore CyberTrust Root) using my legacy unsupported e-mail client (Eudora 7.1.0.9) which prevented sending e-mail through smtp.verizon.net on this Windows 7 PC. This had been working find for a long time and, yes, I have set the outgoing port to 465 per changes by Verizon long ago. I was concerned whether or not the rejected certificate should be trusted and did web searches, including on this forum, to see if I could get more information. There have been similar problems in past years, some of which were really related to changing the port number, but there didn’t seem to be anything recent. I contacted Verizon tech support and was told there have been no recent changes and that the problem is on the client side and it was beyond their scope to provide support for a legacy application. I then posted to another forum I belong to and learned that new apps use the Windows Trusted Root Certificate store which is updated through Windows Update but this doesn’t affect any dedicated certificate store for the email client app itself.

I discovered through Wikipedia that the CyberTrust is a company owned by Verizon so that made me feel a bit more comfortable and I ended up trusting the certificate through Eudora and was able to again be able to send e-mail through smtp.verizon.net.

But I’m wondering if anyone else who may be using a legacy email client (Eudora or something else) has had this experience as recently as February and whether you solved it as I did. This would give me some added comfort with having done so.

Many thanks for any input.

Comments

tns2

Be concerned. but not necessarily greatly. Even if you had no trust for CyberTrust, its Verizon Certificate for SSL and since you are connected to them there is no real risk.

Usual way to fix these certificates is to locate the root certificate, and if its expired get the new root certificate from the authority. Ocassionally you also have to do Intermediate certificates. A lot of consumer software relies on this being done by the OS its on. And many of these do it automatically as part of their regular maintenance. Don't know much about Eudora, but it may be managing its own certificates, and since support no longer exists these root certificates may have expired.

Verizon_Support

Hi rob19,

This is actually interesting. I haven't heard of something like this with Eudora but I must admit that we have a very small user base of customers that use it. It's not surprising though especially when you consider that all companies are really beefing up on security online these days.

If anyone else has experienced this, can you guys chime in also?

rob192

I should have made note of the fact that the validity dates for the rejected certificate are from 2000 to 2025, so it hadn't expired.

Someone on the other forum I posted to suggested that the cert may have been reissued with a longer key. This is really out of my area of expertise so I don't know how to check that.

Also that there would be a matching cert in the Windows Trusted Certificate store that would have been updated by Windows update but was not available to Eudora because it uses it's own store so the rejected cert had to be trusted manually.

I just would have hoped there is some other Verizon.net user out there that still uses Eudora or another older mail client that would have experienced this at about the same time I did.

tns2

All the certificates in the chain from the one for the site you are using back to the root certificate must be valid including dates. Did the software identify a specific error or certificate? Actually the checks are normally only done to it finds one you have installed as trusted in your certificate (key) cache which normally means the root certificates of the Trusted Certificate Authorities. And they must not be in CRL or ARL list (revoked).

rob192

For the record, here is the error message generated by Eudora:

The server’s SSL certificate was rejected for the following reason:
Certficate Error: Unknown and unprovided root certificate.
Do you want to trust the certificate in future sessions?

Certificate:
Data&colon;
Version: 3 (0x2)
Serial Number: 33554617 (0x20000b9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Validity
Not Before: May 12 18:46:00 2000 GMT
Not After : May 12 23:59:00 2025 GMT
Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)

This was followed by the Pubic Key (in Hex) and Yes/No buttons to trust the certificate

After consultation with another forum, I clicked Yes and the e-mail was sent successfully.

There were no subsequent certificate errors and no further action was needed.

So what do CRL and ARL refer to and where are these lists found?

tns2

Certificate Revocation List and Authority Revocation list.

There are lots of threads out there about Eudora using a old Cybertrust certificate. But if you are only using it for your Eudora it probably is not that important..

Other theads about it not having certain other authorities certificate root certificates when using other mail servers. Simple workaround is essentially to use Eudora's tool to find the bad or missing Root certificate and to Trust it. Since it doesn't effect other products it is safe IF you trust the mail server you are talking to. Also possible to find Cybertrust root certificate at its site (seems well hidden now that its a verizon service) and added it more directly which I would recommend if doing to your OS or Webbrowser.

starrin

I'm now in the same boat, EXCEPT when I click yes as to whether I want to use the certificate for future sessions, it lets me in, but does not save the certificate. I get the mail for that session only.

Any thoughts. I'm about to shift to EUDORA OSE or THunderbird

Alan_Douglas

Add me to the list as of two days ago. I can still receive email but get a certificate error when sending it. I can send via Outlook but that's not terribly convenient. What has just changed?

VanessaS

I had the same problem using Eudora 7.1.0.9 starting 2 days ago. No changes made except for a Windows udpate. I also run the free version of Avast. My error message referred to the Avast certificate being no good. I disabled scanning outgoing mail from Avast, but then got an error message same as referenced above. To further complicate matters, I have personalities set up in Eudora that allow me to send through Verizon, but receive through a different ISP.

I changed the Avast settings to again allow scanning of outgoing mail. I then went to the properties of my sending personality, clicked on last SSL info and then on Certificate Information Manager. At the top was a certificate generated by Avast with a "+" sign next to it. Clicking on that, I continued to follow the list down to the bottom where there was a Verizon certificate with what looked like a little skull and crossbones next to it. I highlighted that and told Eudora to accept it and all is currently well. We will see if it lasts.

Alan_Douglas

@VanessaS wrote:
I then went to the properties of my sending personality, clicked on last SSL info and then on Certificate Information Manager.

Hot dog! The Certificate Manager worked, even though it took two tries, first for one from the Netherlands and then one from Irving, Texas. Thanks.

flameout66

I'm a total novice working with certifs and have the same problems as many others....using Eudora 6.2.5.6

Starting a few days ago, I couldn't send email...Today I cannot check mail. The certificate has expired, obviously.

It doesn't matter if I "add to trusted".

Can someone please tell me the next step, if there is one. I've never done anything with any certifs, ever...

Though, I've been using Eudora for nearly 20 years !

thanx much for any help

Xanthippia

I'm now in the same boat... my version of Eudora is showing the same certificate problem as yours, also from the Irving, TX location. I have tried the various solutions people have offered on the web forums, but without luck. I have right-clicked the dominant personality, opened Properties, selected Incoming Mail, and Last SSL. Every time, I have the same skull-and-crossbones on the last certificate in the list under Cybertrust (which is actually owned by Verizon), and no matter how many times I tell it to Add to Trusted, it doesn't.

Any other suggestions (other than using a different email client)? Is there a way outside of Eudora to import an updated, valid certificate?

Thanks for any advice you can offer. I'm going nuts here.

UPDATE: Okay, I decided to have one more whack at it, and sure enough, I had to "crawl" from the top icon (a smiley face) all the way down to the bottom (the skull and crossbones), going through the same miserable steps at each level.

right-click the Dominant Personality.
click Properties.
select the Incoming Mail tab.
click Last SSL button.
open the Certificate Manager.
open the smiley face icon tree until you get to the skull and crossbones.
select the top one (and when you repeat this list, select the next, and the next, and so on, until you get to the bottom).
click Add to Trusted.
Click Done (this closes the Certificate Manager).
Close the Personality box.
send a test mail (it will fail until all the nodes are trusted).
repeat steps 1-11 until you finally add the skull and crossbones line to the Trusted list.

Your mileage may vary, but I was shocked when I could finally send/receive email again using Eudora.

kornides

Having the same problem, could not send mail beginning 8/28, but could receive it.

Today, 8/31, could neither send nor receive... so came here.

Doing the steps as above has only restored incoming mail; still can't send, and all the certificates I can see are accepted (smiley faces instead of skull/crossbones).

Anything else to try? I'm loathe to abandon Eudora b/c it works better than any of the alternatives and I have a >20 yr archive that I don't want to lose.

RadDadTX

I am able to RX mail by trusting the new certificates in the Certificate Manager. These are associated with the pop.verizon.net certificate.

Sending mail is still broken as the SSL negotiation fails and the certificate will not update. This is associated with the smtp.verizon.net certificate.

I also tried renaming my Eudora usercerts.p7b file (manages SSL certificates) and building a new one with the same results. smtp.verizon.net will not update????

Child Item