Super Eudora SSL cert freak-out

[kitchin]

Eudora 6.2.5.6, using SSL, is popping up a very large dialog box, with this error:

Code:

The Server's SSL ceritificate was rejected for the following reason:
One certificate in the server cert chain has Expired.
Do you want to trust this certificate in future sessions?

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com
        Validity
            Not Before: Aug  1 00:00:00 1996 GMT
            Not After : Dec 31 23:59:59 2020 GMT
        Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d3:a4:50:6e:c8:ff:56:6b:e6:cf:5d:b6:ea:0c:
                    68:75:47:a2:aa:c2:da:84:25:fc:a8:f4:47:51:da:
                    85:b5:20:74:94:86:1e:0f:75:c9:e9:08:61:f5:06:
                    6d:30:6e:15:19:02:e9:52:c0:62:db:4d:99:9e:e2:
                    6a:0c:44:38:cd:fe:be:e3:64:09:70:c5:fe:b1:6b:
                    29:b6:2f:49:c8:3b:d4:27:04:25:10:97:2f:e7:90:
                    6d:c0:28:42:99:d7:4c:43:de:c3:f5:21:6d:54:9f:
                    5d:c3:58:e1:c0:e4:d9:5b:b0:b8:dc:b4:7b:df:36:
                    3a:c2:b5:66:22:12:d6:87:0d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        07:fa:4c:69:5c:fb:95:cc:46:ee:85:83:4d:21:30:8e:ca:d9:
        a8:6f:49:1a:e6:da:51:e3:60:70:6c:84:61:11:a1:1a:c8:48:
        3e:59:43:7d:4f:95:3d:a1:8b:b7:0b:62:98:7a:75:8a:dd:88:
        4e:4e:9e:40:db:a8:cc:32:74:b9:6f:0d:c6:e3:b3:44:0b:d9:
        8a:6f:9a:29:9b:99:18:28:3b:d1:e3:40:28:9a:5a:3c:d5:b5:
        e7:20:1b:8b:ca:a4:ab:8d:e9:51:d9:e2:4c:2c:59:a9:da:b9:
        b2:75:1b:f6:42:f2:ef:c7:f2:18:f9:89:bc:a3:ff:8a:23:2e:
        70:47

Clicking "yes" does not help much.
I guess it's time to try Eudora 7, and see if behaves differently...

[Melissa]

Hi kitchin,

Thank you so much for bringing this to our attention. Looks like we missed one during renewal time.... But we are working on it right now.

Thanks again.

[Melissa]

Should be all fixed up now.

[kitchin]

Thanks! I upgraded to Eudora 7 and the "yes" button now works too!

[kitchin]

Eudora is still complaining, on a fresh install of the latest version in a clean directory (7.0.1.0). The override works now, though. Here is the new complaint:

Code:

The Server's SSL certificate was rejected for the following reason:
Certificate Error: Cert Chain not trusted.
Do you want to trust this certificate in future sessions?

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6b:1f:9d:c8:06:ab:e7:a5:4a:93:64:b5:37:48:a5:f2
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc., CN=DigiCert Security Services CA
        Validity
            Not Before: Dec 26 00:00:00 2005 GMT
            Not After : Feb 23 23:59:59 2009 GMT
        Subject: C=US/2.5.4.17=32762-3127, ST=Florida, L=Oviedo/2.5.4.9=PO Box 623127, O=FutureQuest, Inc., OU=Internet Security Division, OU=Hosted by DigiCert, Inc., OU=PlatinumSSL, CN=secure.futurequest.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:9e:e5:aa:5a:aa:f1:8b:0e:9e:ca:ab:fd:7b:84:
                    9a:96:40:e2:50:f4:6f:30:33:23:68:d4:97:04:fa:
                    93:45:76:ce:a7:2f:e8:c0:fd:e9:a2:06:19:f3:0b:
                    00:35:26:ba:1b:e0:e5:9b:29:d9:50:55:10:bf:df:
                    9d:88:c3:13:01:bc:d3:4d:b3:9e:3c:1f:95:35:9b:
                    44:6a:d5:5d:ed:ee:fd:bb:2e:bf:ba:4e:48:aa:d0:
                    9f:7d:80:05:d8:3b:e6:5b:93:9c:62:50:29:13:9f:
                    d6:55:98:07:db:73:82:e8:62:44:72:d5:7a:cc:01:
                    18:5f:5a:0f:c2:4b:9a:40:77
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:30:54:E1:40:63:1B:20:98:57:72:30:3F:62:4B:08:2F:53:87:3D:08

            X509v3 Subject Key Identifier: 
                B9:01:E1:41:3D:A4:91:77:80:01:00:11:D5:54:00:99:05:20:19:35
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            Netscape Cert Type: 
                SSL Client, SSL Server
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.6
                  CPS: http://www.digicert.com/ssl-cps-repository.htm

            X509v3 CRL Distribution Points: 
                URI:http://crl.digicert.com/DigiCertSecurityServicesCA_2.crl
                URI:http://crl2.digicert.com/DigiCertSecurityServicesCA_2.crl

    Signature Algorithm: sha1WithRSAEncryption
        13:40:39:ed:47:c1:f4:7a:f5:a7:bf:19:1d:3a:a4:98:77:f8:
        13:29:82:70:f1:2b:89:5e:3e:43:f7:c1:88:eb:fe:30:25:e4:
        f2:51:07:cd:ea:1c:07:ab:ec:0b:93:71:77:07:26:05:04:9f:
        d7:3a:3b:c0:0b:ff:c1:5c:7f:b0:30:1e:85:9e:69:50:b4:89:
        5b:4f:8d:75:71:62:35:3f:52:cd:39:86:a0:60:cc:b5:48:49:
        29:cb:76:72:c7:69:90:cf:ab:96:76:02:0d:1c:a4:40:ba:e9:
        82:13:da:cc:a6:58:77:e5:da:73:a5:7d:50:d4:1d:7b:eb:f2:
        5e:c0:97:c1:b4:af:20:34:3b:8b:10:76:c3:ed:95:09:58:4b:
        2c:3e:6a:49:fb:9a:a6:2b:37:ed:4e:d7:a6:c2:71:91:8b:e7:
        b5:3e:c9:af:47:f1:8c:0d:ef:b4:da:1e:02:f9:67:6d:0b:e5:
        db:4c:a2:c2:4f:e4:5d:a4:c4:cd:a3:54:2f:aa:c4:0f:97:4d:
        8b:53:6c:46:4d:65:a0:b6:ba:9f:c0:af:7b:b0:ae:97:9b:aa:
        6a:77:82:24:e9:1c:dd:4f:05:04:d4:27:46:b5:19:67:2e:a3:
        e7:85:c0:09:c9:f2:f1:f6:d2:bc:b3:be:40:4c:d3:dd:9f:41:
        96:23:60:ab

More info in the status window:

Quote:

SSL Negotiation Failed: Certificate Error: Cert Chain not trusted. Certificate bad: Destination Host name does not match host name in certificate. But ignoring this error because Certificate is trusted. The connection with the server has been lost. Cause: (206)

The error message seems confused itself. It's not ignored.

[Terra]

Kitchin, please test it again, the problem should now be resolved...

The problem was that the new CERT requires an intermediate chain CERT and that was not included in the core CERT bundle for Secure POP3...

--
Terra
sysAdmin
FutureQuest

[kitchin]

Xclnt, no more warnings. Thanks...