[lug] Understanding a SSL/TLS Certificate Issue

Jed S. Baer blug at jbaer.cotse.net
Thu Jun 18 13:13:56 MDT 2020


Hi Everyone.

I'm having some e-mail trouble, stemming from an apparently expired
upstream certificate from my mail provider. They haven't told me,
specifically, whether they think their cert is OK, and why.

MUA is Sylpheed 3.4.2, openssl is 1.0.1f. Yes, I know, it's old. Before I
run off in some direction, what I would like to know is whether the
problem is really on my end, or the certificate from my mail service is
the problem.

The symptom: on sending, my MUA gives me this error:
> The SSL certificate of www.cotse.net cannot be verified by the
> following reason: certificate has expired
> 
> Subject: /OU=Domain Control Validated/OU=PositiveSSL
> Multi-Domain/CN=www.cotse.net Issuer: /C=GB/ST=Greater
> Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation
> Secure Server CA Issued date: Jan 18 00:00:00 2019 GMT Expire date: Apr
> 17 23:59:59 2021 GMT
> 
> SHA1 fingerprint:
> 75:64:50:68:65:5F:74:2D:BE:7B:CF:6A:F0:F2:AE:1D:F4:FF:C2:6F MD5
> fingerprint: 62:7F:D1:B3:A4:FF:49:8D:AF:31:93:17:8F:F0:4D:5B

I can send mail only by clicking "allow" every time.

The COTSE certificate itself has an expiry date in the future, however,
it appears that the C2 cert in the chain expired on May 30th. I conclude
that openssl/TLS is rejecting it for that reason.

I checked the cert using sslchecker.com:
http://www.sslchecker.com/sslchecker?su=31414a6cb870fa05c86bcf7dee836592

I'm not sure what to make of the "missing" label for the root cert, since
the download button produces output - Verizon, expired 11/2016. (But
then, Firefox tells me it has "permanent" certificates with expiry dates
further back than that.)

I captured the SMTP traffic using wireshark, and only 3 certificates are
presented, not 4 as shown at sslchecker. I suppose there's a reason for
that, but it's a curiosity I guess, unless it isn't.

Here is some supporting stuff:
 - http://jbaer.cotse.net/docs/cotse_smtp_ws_capture.pcapng (wireshark
capture)
 - http://jbaer.cotse.net/images/coste_cert_capture_smtp.png (screencap
showing expired cert)

So, is it a problem with my end or their end?

Thanks in advance.


More information about the LUG mailing list