[lug] Understanding a SSL/TLS Certificate Issue

Bear Giles bgiles at coyotesong.com
Thu Jun 18 14:00:56 MDT 2020 

I would say it's their end. A lot of CAs and apps are sloppy but it's
entirely legitimate for an app (client or server) to reject a cert chain if
any cert has expired or any cert other than the leaf doesn't have the
critical bit.

Since they provide the cert chain it's up to them to provide you an updated
one where all intermediate certs are valid.

Bear

On Thu, Jun 18, 2020 at 1:14 PM Jed S. Baer <blug at jbaer.cotse.net> wrote:

> Hi Everyone.
>
> I'm having some e-mail trouble, stemming from an apparently expired
> upstream certificate from my mail provider. They haven't told me,
> specifically, whether they think their cert is OK, and why.
>
> MUA is Sylpheed 3.4.2, openssl is 1.0.1f. Yes, I know, it's old. Before I
> run off in some direction, what I would like to know is whether the
> problem is really on my end, or the certificate from my mail service is
> the problem.
>
> The symptom: on sending, my MUA gives me this error:
> > The SSL certificate of www.cotse.net cannot be verified by the
> > following reason: certificate has expired
> >
> > Subject: /OU=Domain Control Validated/OU=PositiveSSL
> > Multi-Domain/CN=www.cotse.net Issuer: /C=GB/ST=Greater
> > Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation
> > Secure Server CA Issued date: Jan 18 00:00:00 2019 GMT Expire date: Apr
> > 17 23:59:59 2021 GMT
> >
> > SHA1 fingerprint:
> > 75:64:50:68:65:5F:74:2D:BE:7B:CF:6A:F0:F2:AE:1D:F4:FF:C2:6F MD5
> > fingerprint: 62:7F:D1:B3:A4:FF:49:8D:AF:31:93:17:8F:F0:4D:5B
>
> I can send mail only by clicking "allow" every time.
>
> The COTSE certificate itself has an expiry date in the future, however,
> it appears that the C2 cert in the chain expired on May 30th. I conclude
> that openssl/TLS is rejecting it for that reason.
>
> I checked the cert using sslchecker.com:
> http://www.sslchecker.com/sslchecker?su=31414a6cb870fa05c86bcf7dee836592
>
> I'm not sure what to make of the "missing" label for the root cert, since
> the download button produces output - Verizon, expired 11/2016. (But
> then, Firefox tells me it has "permanent" certificates with expiry dates
> further back than that.)
>
> I captured the SMTP traffic using wireshark, and only 3 certificates are
> presented, not 4 as shown at sslchecker. I suppose there's a reason for
> that, but it's a curiosity I guess, unless it isn't.
>
> Here is some supporting stuff:
>  - http://jbaer.cotse.net/docs/cotse_smtp_ws_capture.pcapng (wireshark
> capture)
>  - http://jbaer.cotse.net/images/coste_cert_capture_smtp.png (screencap
> showing expired cert)
>
> So, is it a problem with my end or their end?
>
> Thanks in advance.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20200618/929332b8/attachment.html>

More information about the LUG mailing list