Expired certificate - am I being hacked?

Discussion in 'Mail.com' started by jwriter, Dec 12, 2013.

  1. jwriter

    jwriter Valued Member

    Joined:
    Jun 17, 2011
    Messages:
    37
    Likes Received:
    1
    I am getting an expired certificate notice (please see attached)? Should I contact mail.com directly? Thank you.
     


    Attached Files:

  2. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,983
    Likes Received:
    120
    Yes, I would try opening a ticket from your mail.com account and let them know that the SSL certificate applied to pop.mail.com expired over 2 months ago.

    Update! No, don't contact them, see two posts below.
     

  3. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,983
    Likes Received:
    120
    For the technically curious, how to verify by connecting directly with openssl from a Linux server:

    > openssl s_client -connect pop.mail.com:995
    CONNECTED(00000004)
    depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    ---
    Certificate chain
    0 s:/C=US/ST=Pennsylvania/L=Chesterbrook/O=1&1 Mail & Media Inc./CN=pop.mail.com
    i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
    1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
    i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
    2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEnTCCA4WgAwIBAgIQGftdGf/pKRYxqB1k9FUVSDANBgkqhkiG9w0BAQUFADA8
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
    aGF3dGUgU1NMIENBMB4XDTEzMDkyNDAwMDAwMFoXDTE0MTAwNDIzNTk1OVowcjEL
    MAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxQMQ2hl
    c3RlcmJyb29rMR4wHAYDVQQKFBUxJjEgTWFpbCAmIE1lZGlhIEluYy4xFTATBgNV
    BAMUDHBvcC5tYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AKFbU6iDB4QUKl79eMYNRmnYp+ZUSBoHD+laaweMHft8qsH0iT/2wIIKWc0Ycapg
    W7I/CiWnk9/itrEN/gtsbtF/qt2oWcQEf+hw5IwzlVFWolqCplHJBHGUnWVdQ8rb
    W9Ak0ikjwpZ/yH/ia83rITSRo2Z8DyT6Wvc/Zsl3KYQ38eKE1dQDRG1W1L09UZUE
    q9T6atFpCtVT00e3QK4T7lR/tEmXRr5wCRnP29XuPDfwWdcS8h9VTUwDkamk9XcW
    xVMfo4x2aUnmg4NzXkJm5C6K01t8xR5SdudHJpGRhCJhp99OLtZ4JAb336DLsNGI
    Z7nAqdKEwpU553tUvkLpC9ECAwEAAaOCAWMwggFfMBcGA1UdEQQQMA6CDHBvcC5t
    YWlsLmNvbTAJBgNVHRMEAjAAMEIGA1UdIAQ7MDkwNwYKYIZIAYb4RQEHNjApMCcG
    CCsGAQUFBwIBFhtodHRwczovL3d3dy50aGF3dGUuY29tL2Nwcy8wDgYDVR0PAQH/
    BAQDAgWgMB8GA1UdIwQYMBaAFKeig7s0RUA9/NUwTxK5PqEBn/bbMDoGA1UdHwQz
    MDEwL6AtoCuGKWh0dHA6Ly9zdnItb3YtY3JsLnRoYXd0ZS5jb20vVGhhd3RlT1Yu
    Y3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBpBggrBgEFBQcBAQRd
    MFswIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wNQYIKwYBBQUH
    MAKGKWh0dHA6Ly9zdnItb3YtYWlhLnRoYXd0ZS5jb20vVGhhd3RlT1YuY2VyMA0G
    CSqGSIb3DQEBBQUAA4IBAQA2mljmrq+SyL4jniLjHTVkDNW3l5av4lLLmWZKt0dt
    FnUXudCAqHmFgkp8B8rhx01AuuelDVY9XzMCeytcjfNiBZcDKhFG5sEpsw1sPaJy
    WsM0A9nabbOpwkYGWDRFgzVQUcCPrLo0q7MDn75VBIcGerp5/8LQwF/R54bFtQlB
    CAxPhw+TEAfR1zOLhfP8FYRTgXZ5LWnwkdm7DFUNh2NIE7ENsrbQSktjWrZFlI9R
    WtasCKqLyXgi9xQUl/gYa9RZ0S47HKcC7GZW+wYIdDSbg9Ll8HDWi5a+Ra+MFSPY
    9PuywqgaXXzrrovJEO/RQ3AIY7Kph+57tqZm6hKNW4Yn
    -----END CERTIFICATE-----


    Save the certificate to a file, in my case mailcom.crt, then:

    > openssl x509 -in mailcom.crt -noout -text

    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    19:fb:5d:19:ff:e9:29:16:31:a8:1d:64:f4:55:15:48
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: C=US, O=Thawte, Inc., CN=Thawte SSL CA
    Validity
    Not Before: Sep 24 00:00:00 2013 GMT
    Not After : Oct 4 23:59:59 2014 GMT
    Subject: C=US, ST=Pennsylvania, L=Chesterbrook, O=1&1 Mail & Media Inc., CN=pop.mail.com
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
    Modulus (2048 bit):
    00:a1:5b:53:a8:83:07:84:14:2a:5e:fd:78:c6:0d:
    46:69:d8:a7:e6:54:48:1a:07:0f:e9:5a:6b:07:8c:
    1d:fb:7c:aa:c1:f4:89:3f:f6:c0:82:0a:59:cd:18:
    71:aa:60:5b:b2:3f:0a:25:a7:93:df:e2:b6:b1:0d:
    fe:0b:6c:6e:d1:7f:aa:dd:a8:59:c4:04:7f:e8:70:
    e4:8c:33:95:51:56:a2:5a:82:a6:51:c9:04:71:94:
    9d:65:5d:43:ca:db:5b:d0:24:d2:29:23:c2:96:7f:
    c8:7f:e2:6b:cd:eb:21:34:91:a3:66:7c:0f:24:fa:
    5a:f7:3f:66:c9:77:29:84:37:f1:e2:84:d5:d4:03:
    44:6d:56:d4:bd:3d:51:95:04:ab:d4:fa:6a:d1:69:
    0a:d5:53:d3:47:b7:40:ae:13:ee:54:7f:b4:49:97:
    46:be:70:09:19:cf:db:d5:ee:3c:37:f0:59:d7:12:
    f2:1f:55:4d:4c:03:91:a9:a4:f5:77:16:c5:53:1f:
    a3:8c:76:69:49:e6:83:83:73:5e:42:66:e4:2e:8a:
    d3:5b:7c:c5:1e:52:76:e7:47:26:91:91:84:22:61:
    a7:df:4e:2e:d6:78:24:06:f7:df:a0:cb:b0:d1:88:
    67:b9:c0:a9:d2:84:c2:95:39:e7:7b:54:be:42:e9:
    0b:d1
    Exponent: 65537 (0x10001)
    X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:pop.mail.com
    X509v3 Basic Constraints:
    CA:FALSE
    X509v3 Certificate Policies:
    Policy: 2.16.840.1.113733.1.7.54
    CPS: https://www.thawte.com/cps/

    X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
    X509v3 Authority Key Identifier:
    keyid:A7:A2:83:BB:34:45:40:3D:FC:D5:30:4F:12:B9:3E:A1:01:9F:F6:DB

    X509v3 CRL Distribution Points:
    URI:http://svr-ov-crl.thawte.com/ThawteOV.crl

    X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication
    Authority Information Access:
    OCSP - URI:http://ocsp.thawte.com
    CA Issuers - URI:http://svr-ov-aia.thawte.com/ThawteOV.cer

    Signature Algorithm: sha1WithRSAEncryption
    36:9a:58:e6:ae:af:92:c8:be:23:9e:22:e3:1d:35:64:0c:d5:
    b7:97:96:af:e2:52:cb:99:66:4a:b7:47:6d:16:75:17:b9:d0:
    80:a8:79:85:82:4a:7c:07:ca:e1:c7:4d:40:ba:e7:a5:0d:56:
    3d:5f:33:02:7b:2b:5c:8d:f3:62:05:97:03:2a:11:46:e6:c1:
    29:b3:0d:6c:3d:a2:72:5a:c3:34:03:d9:da:6d:b3:a9:c2:46:
    06:58:34:45:83:35:50:51:c0:8f:ac:ba:34:ab:b3:03:9f:be:
    55:04:87:06:7a:ba:79:ff:c2:d0:c0:5f:d1:e7:86:c5:b5:09:
    41:08:0c:4f:87:0f:93:10:07:d1:d7:33:8b:85:f3:fc:15:84:
    53:81:76:79:2d:69:f0:91:d9:bb:0c:55:0d:87:63:48:13:b1:
    0d:b2:b6:d0:4a:4b:63:5a:b6:45:94:8f:51:5a:d6:ac:08:aa:
    8b:c9:78:22:f7:14:14:97:f8:18:6b:d4:59:d1:2e:3b:1c:a7:
    02:ec:66:56:fb:06:08:74:34:9b:83:d2:e5:f0:70:d6:8b:96:
    be:45:af:8c:15:23:d8:f4:fb:b2:c2:a8:1a:5d:7c:eb:ae:8b:
    c9:10:ef:d1:43:70:08:63:b2:a9:87:ee:7b:b6:a6:66:ea:12:
    8d:5b:86:27
     
  4. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,983
    Likes Received:
    120
    I take back my original answer. Do not contact mail.com, their certificate is updated. You are seeing the old legitimate but expired certificate. Accept the new certificate. You might need to delete and recreate the configuration in your mail program (sometimes that happens with Outlook or some phones) to force them to download the new certificate.
     
  5. jwriter

    jwriter Valued Member

    Joined:
    Jun 17, 2011
    Messages:
    37
    Likes Received:
    1
    Thanks Popovich. For you mac owners, you can type "openssl s_client -connect pop.mail.com:995" into your Terminal and you will get the results shown.

    I see the new certificate is valid from Sep 24 2013 to Oct 4 2014. My question is, when did the old certificate expire and why am I just seeing this notification?
     
  6. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,983
    Likes Received:
    120
    According to your second screen shot above the old certificate expired in October 2013.

    I'm not sure why your mail program waited until now to generate a warning.

    Which mail program do you use?
     
  7. Req

    Req New Email

    Joined:
    Dec 13, 2013
    Messages:
    5
    Likes Received:
    0
    Same here.
    Thunderbird 24.1.0
    pop.mail.com:995

    Also I see a fresh cert with openssl win32 binaries
    openssl s_client -connect pop.mail.com:995
    openssl x509 -in mailcom.crt -noout -text
    on the same machine.

    Deleting cert8.db didn't help to resolve the problem.
     
  8. Req

    Req New Email

    Joined:
    Dec 13, 2013
    Messages:
    5
    Likes Received:
    0
  9. Req

    Req New Email

    Joined:
    Dec 13, 2013
    Messages:
    5
    Likes Received:
    0
    I see this error in batches, not for every pop request I made.
    I think mail.com using some kind of round robin service based on multiple servers/machines. And one/few of those boxes was configured improperly (with expired cert file). This is the only explanation I can suggest based on irregular error pattern.
     
  10. Req

    Req New Email

    Joined:
    Dec 13, 2013
    Messages:
    5
    Likes Received:
    0
    Got it finally.

    >openssl s_client -connect pop.mail.com:995

    .......................skip...........

    -----BEGIN CERTIFICATE-----
    MIIEsTCCA5mgAwIBAgIQYvQAjJGCctv7WxS7FJOk9DANBgkqhkiG9w0BAQUFADA8
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
    aGF3dGUgU1NMIENBMB4XDTEyMDkyNDAwMDAwMFoXDTEzMTAwNDIzNTk1OVowgYUx
    CzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExFTATBgNVBAcUDENo
    ZXN0ZXJicm9vazEeMBwGA1UEChQVMSYxIE1haWwgJiBNZWRpYSBJbmMuMREwDwYD
    VQQLFAhNQUlMLmNvbTEVMBMGA1UEAxQMcG9wLm1haWwuY29tMIIBIjANBgkqhkiG
    9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxMK7jE9kPKA3kjOS9REsNVSV+Hr/hluokZgh
    k+HgFrwPvyCvooLSXGm0TinO9v8LIdbFekV97dXNVae6KttFQXeDuo+Qrv2d4A94
    HmHJsrQkkY0Lx9J4sQx1wP4hPpbgfpEfANeHQa4x4PMZn7KeCVkAWK+Yn5XkvMPd
    B1ceMl055x+Q42heBXJmNzxxO8B7TwGeLX9hsgdiKpr3w+oxXfe1MTyWqD61IZvV
    JE8Rmv+hyyqXHNCObbfiSLM1czqgtbBbEmdtvXxKLoaDnEs32Pu1bikN7EuQ3Z3O
    YKDJU8cwO7srvnQNT/0ohfEj8mqqJovcQa0tTWMbgHkZALOs7wIDAQABo4IBYzCC
    AV8wFwYDVR0RBBAwDoIMcG9wLm1haWwuY29tMAkGA1UdEwQCMAAwQgYDVR0gBDsw
    OTA3BgpghkgBhvhFAQc2MCkwJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LnRoYXd0
    ZS5jb20vY3BzLzAOBgNVHQ8BAf8EBAMCBaAwHwYDVR0jBBgwFoAUp6KDuzRFQD38
    1TBPErk+oQGf9tswOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1vdi1jcmwu
    dGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
    AQUFBwMCMGkGCCsGAQUFBwEBBF0wWzAiBggrBgEFBQcwAYYWaHR0cDovL29jc3Au
    dGhhd3RlLmNvbTA1BggrBgEFBQcwAoYpaHR0cDovL3N2ci1vdi1haWEudGhhd3Rl
    LmNvbS9UaGF3dGVPVi5jZXIwDQYJKoZIhvcNAQEFBQADggEBAD3TH8vuKMXbiD2L
    nwSD1g1b3munu7BdKaun2L3HBGllUYJ4eFdS4uRE3OXyrLlloHKaxkvwsRnfFtzX
    m+JwP8GeeFQMwwqnuPmIF8i03+inKM0PeNFVroaCFf6s6fPqQAEgiLBI7z0RVUoD
    ycc4dSEl7PZzp8cOy3fbwrvbnFlHipNOOXPoaK+f2EGnDmsPFIaHnnR1pXMDkm7u
    csQ4m50zcecfZVw8mRF/YMrDMTDuKHlOqEoA6+x4EBFq7fPQTFa9bAzsiEDh172c
    448Ysv2cEhF01r08fKfjDph1tHMefT5eXlSV7gNTukxvazVEurx99aXZ2PGs25mj
    tIyAt20=
    -----END CERTIFICATE-----

    .....skip...........

    >openssl x509 -in mailcom2.crt -noout -text

    ........skip.........

    Validity
    Not Before: Sep 24 00:00:00 2012 GMT
    Not After : Oct 4 23:59:59 2013 GMT
    Subject: C=US, ST=Pennsylvania, L=Chesterbrook, O=1&1 Mail & Media Inc., OU=MAIL.com, CN=pop.mail.com

    ........skip.........

    So it's 100% on mail.com side.

    You can catch it also. Just cycle thru this command for some time
    openssl s_client -connect pop.mail.com:995
    and look for "tIyAt20=" at the end of cert body. This is expired cert signature.

    The right cert (updated one) is ending by "KNW4Yn":

    -----BEGIN CERTIFICATE-----
    MIIEnTCCA4WgAwIBAgIQGftdGf/pKRYxqB1k9FUVSDANBgkqhkiG9w0BAQUFADA8
    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
    aGF3dGUgU1NMIENBMB4XDTEzMDkyNDAwMDAwMFoXDTE0MTAwNDIzNTk1OVowcjEL
    MAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEVMBMGA1UEBxQMQ2hl
    c3RlcmJyb29rMR4wHAYDVQQKFBUxJjEgTWFpbCAmIE1lZGlhIEluYy4xFTATBgNV
    BAMUDHBvcC5tYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AKFbU6iDB4QUKl79eMYNRmnYp+ZUSBoHD+laaweMHft8qsH0iT/2wIIKWc0Ycapg
    W7I/CiWnk9/itrEN/gtsbtF/qt2oWcQEf+hw5IwzlVFWolqCplHJBHGUnWVdQ8rb
    W9Ak0ikjwpZ/yH/ia83rITSRo2Z8DyT6Wvc/Zsl3KYQ38eKE1dQDRG1W1L09UZUE
    q9T6atFpCtVT00e3QK4T7lR/tEmXRr5wCRnP29XuPDfwWdcS8h9VTUwDkamk9XcW
    xVMfo4x2aUnmg4NzXkJm5C6K01t8xR5SdudHJpGRhCJhp99OLtZ4JAb336DLsNGI
    Z7nAqdKEwpU553tUvkLpC9ECAwEAAaOCAWMwggFfMBcGA1UdEQQQMA6CDHBvcC5t
    YWlsLmNvbTAJBgNVHRMEAjAAMEIGA1UdIAQ7MDkwNwYKYIZIAYb4RQEHNjApMCcG
    CCsGAQUFBwIBFhtodHRwczovL3d3dy50aGF3dGUuY29tL2Nwcy8wDgYDVR0PAQH/
    BAQDAgWgMB8GA1UdIwQYMBaAFKeig7s0RUA9/NUwTxK5PqEBn/bbMDoGA1UdHwQz
    MDEwL6AtoCuGKWh0dHA6Ly9zdnItb3YtY3JsLnRoYXd0ZS5jb20vVGhhd3RlT1Yu
    Y3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBpBggrBgEFBQcBAQRd
    MFswIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0ZS5jb20wNQYIKwYBBQUH
    MAKGKWh0dHA6Ly9zdnItb3YtYWlhLnRoYXd0ZS5jb20vVGhhd3RlT1YuY2VyMA0G
    CSqGSIb3DQEBBQUAA4IBAQA2mljmrq+SyL4jniLjHTVkDNW3l5av4lLLmWZKt0dt
    FnUXudCAqHmFgkp8B8rhx01AuuelDVY9XzMCeytcjfNiBZcDKhFG5sEpsw1sPaJy
    WsM0A9nabbOpwkYGWDRFgzVQUcCPrLo0q7MDn75VBIcGerp5/8LQwF/R54bFtQlB
    CAxPhw+TEAfR1zOLhfP8FYRTgXZ5LWnwkdm7DFUNh2NIE7ENsrbQSktjWrZFlI9R
    WtasCKqLyXgi9xQUl/gYa9RZ0S47HKcC7GZW+wYIdDSbg9Ll8HDWi5a+Ra+MFSPY
    9PuywqgaXXzrrovJEO/RQ3AIY7Kph+57tqZm6hKNW4Yn
    -----END CERTIFICATE-----

    openssl x509 -in mailcom.crt -noout -text

    ....skip......

    Not Before: Sep 24 00:00:00 2013 GMT
    Not After : Oct 4 23:59:59 2014 GMT

    ....skip......
     
  11. popowich

    popowich EQ Forum Admin Staff Member

    Joined:
    Aug 12, 2008
    Messages:
    8,983
    Likes Received:
    120
    Nice catch! :thanks:
     
  12. Req

    Req New Email

    Joined:
    Dec 13, 2013
    Messages:
    5
    Likes Received:
    0
    Reported to mail.com premium support few days ago.

    "We would like to inform you that the reported matter has been solved".

    No more expired certs warnings on my side at the moment.
    Thank you guys for your help here.
     

Want to reply or ask your own question?

It only takes a minute to sign up (and it's free!). Click the orange sign up button to choose a username and then you can ask your own questions on the forum.
Loading...