[lug] Understanding a SSL/TLS Certificate Issue
Matt Bidwell
mbidwell at gmail.com
Thu Jun 18 20:38:13 MDT 2020
Hey,
Did any one mention this recent known issue with Sectigo certs?
https://www.theregister.com/2020/06/02/sectigo_root_cert_expires/
-Matt
On 6/18/20 1:13 PM, Jed S. Baer wrote:
> Hi Everyone.
>
> I'm having some e-mail trouble, stemming from an apparently expired
> upstream certificate from my mail provider. They haven't told me,
> specifically, whether they think their cert is OK, and why.
>
> MUA is Sylpheed 3.4.2, openssl is 1.0.1f. Yes, I know, it's old. Before I
> run off in some direction, what I would like to know is whether the
> problem is really on my end, or the certificate from my mail service is
> the problem.
>
> The symptom: on sending, my MUA gives me this error:
>> The SSL certificate of www.cotse.net cannot be verified by the
>> following reason: certificate has expired
>>
>> Subject: /OU=Domain Control Validated/OU=PositiveSSL
>> Multi-Domain/CN=www.cotse.net Issuer: /C=GB/ST=Greater
>> Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation
>> Secure Server CA Issued date: Jan 18 00:00:00 2019 GMT Expire date: Apr
>> 17 23:59:59 2021 GMT
>>
>> SHA1 fingerprint:
>> 75:64:50:68:65:5F:74:2D:BE:7B:CF:6A:F0:F2:AE:1D:F4:FF:C2:6F MD5
>> fingerprint: 62:7F:D1:B3:A4:FF:49:8D:AF:31:93:17:8F:F0:4D:5B
>
> I can send mail only by clicking "allow" every time.
>
> The COTSE certificate itself has an expiry date in the future, however,
> it appears that the C2 cert in the chain expired on May 30th. I conclude
> that openssl/TLS is rejecting it for that reason.
>
> I checked the cert using sslchecker.com:
> http://www.sslchecker.com/sslchecker?su=31414a6cb870fa05c86bcf7dee836592
>
> I'm not sure what to make of the "missing" label for the root cert, since
> the download button produces output - Verizon, expired 11/2016. (But
> then, Firefox tells me it has "permanent" certificates with expiry dates
> further back than that.)
>
> I captured the SMTP traffic using wireshark, and only 3 certificates are
> presented, not 4 as shown at sslchecker. I suppose there's a reason for
> that, but it's a curiosity I guess, unless it isn't.
>
> Here is some supporting stuff:
> - http://jbaer.cotse.net/docs/cotse_smtp_ws_capture.pcapng (wireshark
> capture)
> - http://jbaer.cotse.net/images/coste_cert_capture_smtp.png (screencap
> showing expired cert)
>
> So, is it a problem with my end or their end?
>
> Thanks in advance.
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
More information about the LUG
mailing list