×

Switch Account

Rejected SMTP SSL Certificate

Rejected SMTP SSL Certificate

Reply
Highlighted
Contributor rob19
Contributor
Posts: 4
Registered: ‎03-30-2015
Message 1 of 20
(4,449 Views)

In February 2015 I began to experience a problem with a rejected SSL certificate (Baltimore CyberTrust Root) using my legacy unsupported e-mail client (Eudora 7.1.0.9) which prevented sending e-mail through smtp.verizon.net on this Windows 7 PC. This had been working find for a long time and, yes, I have set the outgoing port to 465 per changes by Verizon long ago. I was concerned whether or not the rejected certificate should be trusted and did web searches, including on this forum, to see if I could get more information. There have been similar problems in past years, some of which were really related to changing the port number, but there didn’t seem to be anything recent. I contacted Verizon tech support and was told there have been no recent changes and that the problem is on the client side and it was beyond their scope to provide support for a legacy application. I then posted to another forum I belong to and learned that new apps use the Windows Trusted Root Certificate store which is updated through Windows Update but this doesn’t affect any dedicated certificate store for the email client app itself.

 

I discovered through Wikipedia that the CyberTrust is a company owned by Verizon so that made me feel a bit more comfortable and I ended up trusting the certificate through Eudora and was able to again be able to send e-mail through smtp.verizon.net.

 

But I’m wondering if anyone else who may be using a legacy email client (Eudora or something else) has had this experience as recently as February and whether you solved it as I did. This would give me some added comfort with having done so.

 

Many thanks for any input.

19 REPLIES 19
Gold Contributor II Gold Contributor II
Gold Contributor II
Posts: 4,437
Registered: ‎12-16-2012
Message 2 of 20
(4,425 Views)

Be concerned.  but not necessarily greatly. Even if you had no trust for CyberTrust, its Verizon Certificate for SSL and since you are connected to them there is no real risk. 

 

Usual way to fix these certificates is to locate the root certificate, and if its expired get the new root certificate from the authority.   Ocassionally you also have to do Intermediate certificates. A lot of consumer software relies on this being done by the OS its on.  And many of these do it automatically as part of their regular maintenance.  Don't know much about Eudora, but it may be managing its own certificates, and since support no longer exists these root certificates may have expired.

 

 

Employee Employee
Employee
Posts: 3,173
Registered: ‎04-10-2013
Message 3 of 20
(4,422 Views)

Hi rob19,

 

This is actually interesting. I haven't heard of something like this with Eudora but I must admit that we have a very small user base of customers that use it. It's not surprising though especially when you consider that all companies are really beefing up on security online these days.

 

If anyone else has experienced this, can you guys chime in also?

 

CJ

Contributor rob19
Contributor
Posts: 4
Registered: ‎03-30-2015
Message 4 of 20
(4,408 Views)

I should have made note of the fact that the validity dates for the rejected certificate are from 2000 to 2025, so it hadn't expired.

 

Someone on the other forum I posted to suggested that the cert may have been reissued with a longer key.  This is really out of my area of expertise so I don't know how to check that.

 

Also that there would be a matching cert in the Windows Trusted Certificate store that would have been updated by Windows update but was not available to Eudora because it uses it's own store so the rejected cert had to be trusted manually.

 

I just would have hoped there is some other Verizon.net user out there that still uses Eudora or another older mail client that would have experienced this at about the same time I did.

Gold Contributor II Gold Contributor II
Gold Contributor II
Posts: 4,437
Registered: ‎12-16-2012
Message 5 of 20
(4,372 Views)

All the certificates in the chain from the one for the site you are using back to the root certificate must be valid including dates.  Did the software identify a specific error or certificate?  Actually the checks are normally only done to it finds one you have installed as trusted in your certificate (key) cache which normally means the root certificates of the Trusted Certificate Authorities.  And they must not be in CRL or ARL list (revoked).

 

Contributor rob19
Contributor
Posts: 4
Registered: ‎03-30-2015
Message 6 of 20
(4,346 Views)

For the record, here is the error message generated by Eudora:

 

The server’s SSL certificate was rejected for the following reason:
Certficate Error:  Unknown and unprovided root certificate.
Do you want to trust the certificate in future sessions?

 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 33554617 (0x20000b9)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
        Validity
            Not Before: May 12 18:46:00 2000 GMT
            Not After : May 12 23:59:00 2025 GMT
        Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)

 

This was followed by the Pubic Key (in Hex) and Yes/No buttons to trust the certificate

 

After consultation with another forum, I clicked Yes and the e-mail was sent successfully.

 

There were no subsequent certificate errors and no further action was needed.

 

So what do CRL and ARL refer to and where are these lists found?

 

 

Gold Contributor II Gold Contributor II
Gold Contributor II
Posts: 4,437
Registered: ‎12-16-2012
Message 7 of 20
(4,321 Views)

Certificate Revocation List and Authority Revocation list. 

 

There are lots of threads out there about Eudora using a old Cybertrust certificate. But if you are only using it for your Eudora it probably is not that important.. 

 

Other theads about it not having certain other authorities certificate root certificates when using other mail servers.  Simple workaround is essentially to use Eudora's tool to find the bad or missing Root certificate and to Trust it.  Since it doesn't effect other products it is safe IF you trust the mail server you are talking to.  Also possible to find Cybertrust root certificate at its site (seems well hidden now that its a verizon service) and added it more directly which I would recommend if doing to your OS or Webbrowser.

Contributor rob19
Contributor
Posts: 4
Registered: ‎03-30-2015
Message 8 of 20
(4,256 Views)

The relevant threads I have found go back over a year (2013).  Most complaints of this nature were related to incorrect port numbers, which is not my problem.  Perhaps any Eudora or other minority 3rd party client users that may have had this experience more recently simply trusted the certificate and moved on.  But I would feel better knowing that I wasn't the only one.

 

There was at least one reply to an old post which claimed that the problem was with Verizon's certificates but there was no further acknowledgement of that.

 

I'll check back here in the future but after this amount of time, I don't expect to see anything.

 

Thanks very much for the information provided above.

Bronze Contributor I
Bronze Contributor I
Posts: 139
Registered: ‎09-25-2008
Message 9 of 20
(4,021 Views)

I'm now in the same boat, EXCEPT when I click yes as to whether I want to use the certificate for future sessions, it lets me in, but does not save the certificate.  I get the mail for that session only.

Any thoughts.  I'm about to shift to EUDORA OSE or THunderbird

Contributor Alan_Douglas
Contributor
Posts: 2
Registered: ‎08-28-2015
Message 10 of 20
(3,616 Views)

Add me to the list as of two days ago.  I can still receive email but get a certificate error when sending it.  I can send via Outlook but that's not terribly convenient.  What has just changed?

How-To Videos
 
The following videos were produced by users like you!
   
Videos are subject to the Verizon Fios Community Terms of Service and User Guidelines and contains content that is not created by Verizon.



Verizon Troubleshooters
Unable to find your answer here? Try searching Verizon Troubleshooters for more options.