In February 2015 I began to experience a problem with a rejected SSL certificate (Baltimore CyberTrust Root) using my legacy unsupported e-mail client (Eudora 220.127.116.11) which prevented sending e-mail through smtp.verizon.net on this Windows 7 PC. This had been working find for a long time and, yes, I have set the outgoing port to 465 per changes by Verizon long ago. I was concerned whether or not the rejected certificate should be trusted and did web searches, including on this forum, to see if I could get more information. There have been similar problems in past years, some of which were really related to changing the port number, but there didn’t seem to be anything recent. I contacted Verizon tech support and was told there have been no recent changes and that the problem is on the client side and it was beyond their scope to provide support for a legacy application. I then posted to another forum I belong to and learned that new apps use the Windows Trusted Root Certificate store which is updated through Windows Update but this doesn’t affect any dedicated certificate store for the email client app itself.
I discovered through Wikipedia that the CyberTrust is a company owned by Verizon so that made me feel a bit more comfortable and I ended up trusting the certificate through Eudora and was able to again be able to send e-mail through smtp.verizon.net.
But I’m wondering if anyone else who may be using a legacy email client (Eudora or something else) has had this experience as recently as February and whether you solved it as I did. This would give me some added comfort with having done so.
Many thanks for any input.
03-30-2015 11:42 AM - edited 03-30-2015 11:46 AM
Be concerned. but not necessarily greatly. Even if you had no trust for CyberTrust, its Verizon Certificate for SSL and since you are connected to them there is no real risk.
Usual way to fix these certificates is to locate the root certificate, and if its expired get the new root certificate from the authority. Ocassionally you also have to do Intermediate certificates. A lot of consumer software relies on this being done by the OS its on. And many of these do it automatically as part of their regular maintenance. Don't know much about Eudora, but it may be managing its own certificates, and since support no longer exists these root certificates may have expired.
This is actually interesting. I haven't heard of something like this with Eudora but I must admit that we have a very small user base of customers that use it. It's not surprising though especially when you consider that all companies are really beefing up on security online these days.
If anyone else has experienced this, can you guys chime in also?
I should have made note of the fact that the validity dates for the rejected certificate are from 2000 to 2025, so it hadn't expired.
Someone on the other forum I posted to suggested that the cert may have been reissued with a longer key. This is really out of my area of expertise so I don't know how to check that.
Also that there would be a matching cert in the Windows Trusted Certificate store that would have been updated by Windows update but was not available to Eudora because it uses it's own store so the rejected cert had to be trusted manually.
I just would have hoped there is some other Verizon.net user out there that still uses Eudora or another older mail client that would have experienced this at about the same time I did.
03-31-2015 05:10 AM - edited 03-31-2015 05:44 AM
All the certificates in the chain from the one for the site you are using back to the root certificate must be valid including dates. Did the software identify a specific error or certificate? Actually the checks are normally only done to it finds one you have installed as trusted in your certificate (key) cache which normally means the root certificates of the Trusted Certificate Authorities. And they must not be in CRL or ARL list (revoked).
03-31-2015 01:46 PM - edited 03-31-2015 01:48 PM
For the record, here is the error message generated by Eudora:
The server’s SSL certificate was rejected for the following reason:
Certficate Error: Unknown and unprovided root certificate.
Do you want to trust the certificate in future sessions?
Version: 3 (0x2)
Serial Number: 33554617 (0x20000b9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Not Before: May 12 18:46:00 2000 GMT
Not After : May 12 23:59:00 2025 GMT
Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
This was followed by the Pubic Key (in Hex) and Yes/No buttons to trust the certificate
After consultation with another forum, I clicked Yes and the e-mail was sent successfully.
There were no subsequent certificate errors and no further action was needed.
So what do CRL and ARL refer to and where are these lists found?
Certificate Revocation List and Authority Revocation list.
There are lots of threads out there about Eudora using a old Cybertrust certificate. But if you are only using it for your Eudora it probably is not that important..
Other theads about it not having certain other authorities certificate root certificates when using other mail servers. Simple workaround is essentially to use Eudora's tool to find the bad or missing Root certificate and to Trust it. Since it doesn't effect other products it is safe IF you trust the mail server you are talking to. Also possible to find Cybertrust root certificate at its site (seems well hidden now that its a verizon service) and added it more directly which I would recommend if doing to your OS or Webbrowser.
04-07-2015 10:50 AM - edited 04-07-2015 11:48 AM
The relevant threads I have found go back over a year (2013). Most complaints of this nature were related to incorrect port numbers, which is not my problem. Perhaps any Eudora or other minority 3rd party client users that may have had this experience more recently simply trusted the certificate and moved on. But I would feel better knowing that I wasn't the only one.
There was at least one reply to an old post which claimed that the problem was with Verizon's certificates but there was no further acknowledgement of that.
I'll check back here in the future but after this amount of time, I don't expect to see anything.
Thanks very much for the information provided above.
I'm now in the same boat, EXCEPT when I click yes as to whether I want to use the certificate for future sessions, it lets me in, but does not save the certificate. I get the mail for that session only.
Any thoughts. I'm about to shift to EUDORA OSE or THunderbird